Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: code-execution (1 article)Clear

Clean GitHub repos trick AI coding agents into fetching and running malware

Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.

Check
Review how your AI coding agents and developers set up unfamiliar repositories, and check whether setup or build commands can make outbound network or DNS requests that fetch and execute external content.
Affected
Developers and teams that let AI coding agents automatically run setup steps for untrusted repositories; the malicious payload is fetched at setup time over DNS, so scanning the repository alone misses it.
Fix
Run repository setup for untrusted code in sandboxes without credentials, restrict outbound network and DNS during setup, and treat agent setup and build commands as untrusted code execution rather than safe automation.