'Agentic coding tools have access to everything they need for this': Security experts warn Claude Code can be exploited simply by trying to be helpful
Date:
Sat, 04 Jul 2026 20:10:00 +0000
Description:
A hidden DNS record tricked Claude Code into opening a reverse shell during routine error recovery, bypassing every standard security scanning tool completely.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Claude Code ran the dangerous command while treating it as routine recovery A single fake error message triggered the entire hidden attack chain Static scanners and firewalls saw nothing more than normal DNS resolution Researchers at Mozilla's 0din team have shown how Claude Code can be manipulated into opening a hidden reverse shell on a developer's device.
The exploit required no malicious code inside the cloned project, since every visible file passed ordinary review without raising suspicion. Instead, the dangerous instruction arrived later, fetched at runtime from a DNS text
record that no scanner would ever inspect. Latest Videos From Watch full
video here: How a Routine Setup Error Became an Entry Point The attack began with an unremarkable Markdown file explaining how to install a package called Axiom, a common monitoring tool.
Running the tool without initialising it produced a plain error message instructing the user to execute a specific setup command. You may like
Experts warn Claude feature hijacked by hackers to launch major malware campaign 'Threat actors are clearly adapting to the widespread interest in popular AI tools': AI fans beware, hackers create a fake Claude site to
spread backdoor malware A developer found a Claude Code plugin collecting extensive telemetry across projects
The research team noted this pattern closely resembles ordinary developer troubleshooting, which is precisely why it evaded suspicion so effectively.
Claude Code, attempting only to be helpful, followed that written instruction automatically, treating the documented fix as ordinary routine error
recovery. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
That single command triggered a hidden shell script which quietly queried a DNS text record controlled entirely by the remote attacker.
The record decoded into a base64-encoded reverse shell command, which
executed silently and connected straight back to the attacker's remote
server.
Persistence was also possible once inside, since the attacker could plant an SSH key or schedule a hidden cron job. What to read next Mac users beware scammers are hijacking Claude chats and Google ads to push malware Hackers
use Claude and ChatGPT to breach government agencies Claude Mythos turns
years of security research into 20-hour AI exploits
A single repository link shared in a job posting or chat message could expose every developer who simply opened it. Why standard security tools failed to notice Regular security tools, such as antivirus software or firewall protection , failed to notice this flaw since none of the individual steps looked suspicious on their own.
Static code-scanning tools only registered a routine DNS lookup, which did
not indicate anything malicious underway.
Network monitoring registered nothing more than ordinary domain name resolution, and the agent itself viewed the command as a pre-authorised
setup.
0din stressed that coding agents need to inspect exactly what setup script will actually run before executing anything at all.
It concluded that developers should never assume an unfamiliar repository is trustworthy, regardless of how ordinary its setup files appear.
This case suggests that agentic AI tools built on large language models may need far stronger runtime safeguards.
Until such agents can meaningfully evaluate what a command actually executes, similar indirect attacks will likely remain difficult to prevent.
The broader lesson extends beyond Claude Code, since most agentic AI systems share similar blind spots toward indirect prompt injection.
For now, treating unfamiliar automation as a genuine risk remains the single most reliable safeguard available to most individual developers. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/agentic-coding-tools-have-access-to-eve rything-they-need-for-this-security-experts-warn-claude-code-can-be-exploited- simply-by-trying-to-be-helpful
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)