Clean GitHub repos trick AI coding agents into fetching and running malware
Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.
- Check
- Review how your AI coding agents and developers set up unfamiliar repositories, and check whether setup or build commands can make outbound network or DNS requests that fetch and execute external content.
- Affected
- Developers and teams that let AI coding agents automatically run setup steps for untrusted repositories; the malicious payload is fetched at setup time over DNS, so scanning the repository alone misses it.
- Fix
- Run repository setup for untrusted code in sandboxes without credentials, restrict outbound network and DNS during setup, and treat agent setup and build commands as untrusted code execution rather than safe automation.