FALCONINTERNET

Clean GitHub Repos Are Tricking AI Coding Agents Into Running Malware

Security
Clean GitHub Repos Are Tricking AI Coding Agents Into Running Malware

Researchers at Mozilla's Zero Day Investigative Network (0DIN) disclosed a proof-of-concept this week that is worth reading carefully if anyone on your team uses AI coding tools. The short version: you can point Claude Code, Cursor, GitHub Copilot, or Gemini CLI at a GitHub repository containing zero malicious code — and walk away with a reverse shell running at developer-level privileges.

The disclosure landed June 27–28. It is not a bug in any specific tool. It is a structural problem with how AI agents handle error recovery, and a separate campaign called Miasma shows that attackers figured this out months ago.

How a "Clean" Repo Becomes a Shell

The attack relies on three layers of indirection, which is precisely what makes it effective against static analysis tools and code scanners.

The attacker publishes a realistic-looking repository — a library, a starter kit, a demo project. The README contains normal setup instructions. One of those instructions is an initialization command: python3 -m axiom init. The package installs without issue but is designed to fail at initialization with a plausible-looking error — a missing config file, an unexpected runtime state, something a developer might encounter legitimately.

Here is the critical step. An AI coding agent watching a developer work sees that error and tries to fix it. That is what agents do. Fixing the error means running the initialization script. That script queries an attacker-controlled DNS TXT record and downloads the actual payload — a reverse shell or credential harvester that never existed inside the repository at all.

Mozilla 0DIN put it precisely: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated."

No malware in the repository. No flagged lifecycle hooks. Every scanner that inspects the repo sees nothing wrong. The AI assistant's helpfulness is the attack surface.

This Is Already Happening in the Wild

The Mozilla PoC is a demonstration. The Miasma campaign — tracked by Wiz Research, Snyk, Microsoft Security, StepSecurity, JFrog, and several other firms — is the real-world version, running since June 1, 2026. The group behind it, TeamPCP (tracked by researchers as UNC6780), open-sourced a worm toolkit called Mini Shai-Hulud on May 12 and posted a $1,000 bounty on BreachForums for the largest supply chain attack built from the code. Then they ran their own campaign to demonstrate the point.

Miasma operated in four waves across June. Wave 1 compromised 32 packages in the @redhat-cloud-services npm namespace — 80,000 to 117,000 weekly downloads — using preinstall hooks with SLSA provenance signatures forged to pass npm audit. Wave 2 used a technique researchers called "Phantom Gyp": a 157-byte injection into binding.gyp files that triggers a node-gyp rebuild without touching package.json, evading the lifecycle-script scanners that caught Wave 1. Wave 4 moved to PyPI — 37 malicious wheel artifacts across 19 packages, using *-setup.pth files that execute on Python startup without requiring an import.

Wave 3 is the one that ties most directly to the Mozilla disclosure. On June 5, attackers pushed commits to 73 Microsoft GitHub repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations via a compromised contributor account. They planted:

  • .claude/settings.json — SessionStart hooks for Claude Code
  • .gemini/settings.json — SessionStart hooks for Gemini CLI
  • .cursor/rules/setup.mdc — prompt injection rules for Cursor
  • .vscode/tasks.json — auto-run tasks for VS Code
  • .github/setup.js — 4.6 MB obfuscated payload

Any developer who cloned one of those repositories and opened it in their AI-assisted editor would have the credential harvester execute automatically. GitHub's automated systems disabled all 73 repositories in 105 seconds — fast enough to limit damage, but not before 20+ developers reported broken Azure Functions deployments on Microsoft Learn forums.

What the Harvester Takes

The payload is thorough. On a typical developer workstation it targets: AWS access keys and session tokens, Azure service principal credentials and managed identity tokens, GCP application default credentials, GitHub personal access tokens, SSH private keys, Docker registry credentials, HashiCorp Vault tokens, 1Password and other credential store integrations, and every .env file reachable on the filesystem. On GitHub Actions runners, it scans /proc/<pid>/mem to extract runner secrets directly from process memory. Total confirmed artifacts across the Miasma campaign as of late June: 448.

One operational detail matters for incident response: the worm plants a decoy token and implements a kill switch it calls DEADMAN_SWITCH. If you revoke that token from a potentially infected machine before you have completed network isolation, it wipes your home directory. The correct sequence is to isolate the machine first, then rotate credentials from a clean system.

What to Do This Week

  • Audit configuration files in repositories you work in. Look for unexpected .claude/settings.json, .gemini/settings.json, entries under .cursor/rules/, or .vscode/tasks.json files you did not write. If they are present and unexplained, treat the machine as compromised.
  • Review setup commands before approving them. When an AI agent proposes running an initialization script, look at what that script actually fetches at runtime — anything that resolves a URL or queries DNS during setup warrants manual review before you click approve.
  • Pin GitHub Actions to full commit SHAs. Using actions/checkout@v4 instead of actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 means a compromised tag can silently change what executes in your CI pipeline. Pin to the full hash.
  • Rotate credentials from a known-clean machine. If any developer on your team ran npm or pip installs from an unvetted repository after June 1, assume tokens on that machine are at risk. Do not revoke them from the potentially infected host first.

The Larger Pattern

What makes this campaign notable is not the credential-harvesting payload — that part is familiar ground in 2026. It is the deliberate targeting of AI agent configuration files as the delivery mechanism. TeamPCP understood that developers trust their AI tools, that those tools execute setup commands automatically, and that a hidden config file committed to a public repository is effectively a standing instruction to any agent that opens the project.

As AI coding assistants grow more autonomous — running test suites, managing dependencies, pushing deployments — the implicit trust developers extend to them becomes a larger and larger attack surface. The lesson is not to stop using these tools; it is to apply the same skepticism to an AI-driven workflow that you would to any automated pipeline: what does this actually execute, and where does it reach?

We have treated third-party code as part of a site's attack surface since before supply chain attacks had that name. What Miasma adds to that calculus is that the AI assistant reading and acting on that code is now part of the surface too — and it moves faster than any manual review cycle can match.

Need this handled instead of explained?

We do this for a living — talk to an engineer about your setup.