1 hour ago
19
Here’s a nightmare scenario for any developer who has embraced AI coding assistants: you clone a repository, open it with your AI tool, and without clicking anything suspicious or downloading any malware, an attacker now has remote access to your machine.
That’s exactly what Mozilla’s 0Din security researchers have demonstrated. The attack targets developers using Claude Code, Anthropic’s command-line AI coding assistant, by embedding indirect prompts into seemingly innocuous Git repositories. When Claude Code processes the repository’s contents, it interprets those hidden instructions and can be tricked into spawning a reverse shell, effectively handing control of the developer’s system to a remote attacker.
How the attack works
Attackers embed malicious prompts directly into repository files, such as code comments, documentation, or configuration files. When a developer opens the project using Claude Code, the AI reads the repository contents as context for its operations. Because Claude Code has the ability to execute shell commands as part of its workflow, the embedded prompts can instruct it to run arbitrary commands on the developer’s machine. The end result is a reverse shell, a connection from the victim’s computer back to the attacker’s server that gives the attacker interactive access.
The critical detail here: no traditional malware is involved. No suspicious executables, no phishing links, no social engineering beyond the developer simply opening a project file. The AI assistant itself becomes the attack vector.
A pattern, not an isolated incident
This isn’t the first time AI coding tools have been weaponized. A related attack technique called Agentjacking uses fake Sentry error messages to manipulate tools like Claude Code. That approach achieved an 85% success rate across more than 100 organizations.
Then there’s TrapDoor, a separate attack campaign identified in May 2026 that exploited AI configuration files to exfiltrate sensitive data. That one specifically targeted wallet information by hiding covert instructions in AI config files.
The through-line across all of these attacks is what security researchers call “indirect prompt injection.” Instead of attacking the AI model itself, attackers poison the data the model consumes.
What this means for developers and investors
For individual developers, the immediate takeaway is straightforward: treat any repository you don’t fully trust with the same caution you’d apply to downloading an unknown executable. AI coding assistants that can execute shell commands should be sandboxed or restricted when working with unfamiliar codebases.
For organizations, companies that have integrated AI coding tools into their development workflows now face a new category of supply chain risk. Every open-source dependency, every third-party repository, every code contribution from an external collaborator is a potential vector for indirect prompt injection. Security teams will need to develop new review processes specifically designed to catch embedded prompt attacks, something most code review tooling isn’t built for today.
The crypto-specific implications are worth noting separately. While this particular Claude Code attack doesn’t directly target digital assets, the TrapDoor campaign from May 2026 demonstrated that AI-based attacks can and will target wallet credentials and private keys. Developers working on crypto projects represent a high-value target set where a compromised developer machine in a DeFi project could constitute a significant financial exploit.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) ·