An innovative coding tool designed to clone and set up harmless GitHub repositories has been found to potentially execute malicious code without detection by security tools, AI systems, or human reviewers.

A recent study by Mozilla’s Zero Day Investigative Network (0DIN) AI security platform revealed that this compromise occurs without any visible warning or suspicious activity that could raise alarms.

According to researchers, the attack involves exploiting a flaw in the cloning process of GitHub repositories, allowing an attacker to plant a hidden interactive shell on a developer’s system without the need for traditional malicious code.

The attack method consists of three seemingly harmless components that, when combined, create a significant security risk:

1. A GitHub repository with standard setup instructions, including dependency installation and project initialization commands.
2. A Python package that intentionally triggers an error message, instructing the user to run a specific command. The coding agent automatically executes this command, unknowingly advancing the attack.
3. Executing the suggested command triggers a shell script that retrieves configuration data from a DNS TXT record controlled by the attacker, ultimately leading to the execution of a hidden command.

Researchers emphasize that this attack does not require any malicious code within the cloned repository. The coding agent handles the entire process, including resolving a common setup error, without raising suspicion.

If successful, the attacker gains access to the developer’s system with escalated privileges, allowing them to extract sensitive information, manipulate environment variables, and establish persistent access.

According to 0DIN researchers, the coding agent unwittingly facilitates the attacker’s access by interpreting an error message as a legitimate command, ultimately resulting in the execution of the hidden shell.

While this attack method is currently theoretical, 0DIN warns that threat actors could easily distribute compromised GitHub repositories through various channels, such as fake job listings, tutorials, or direct messages.

To mitigate such risks, 0DIN advises AI agents to provide full transparency regarding the execution chain of setup commands, including dynamically fetched scripts and code.

Security teams only detect 14% of successful attacks, leaving 86% unnoticed. Discover how Picus breach and attack simulation can enhance your security defenses.

Download the whitepaper now to fortify your SIEM and EDR capabilities.