Industry context: Agentic coding tools that execute developer workflows can amplify small, indirect supply-chain tricks into full compromise, creating new operational risk for engineers and CI systems. According to reporting by BleepingComputer and Tom's Hardware, researchers at Mozilla's Zero Day Investigative Network (0DIN) demonstrated a proof-of-concept that uses a seemingly clean GitHub repository to cause Anthropic's Claude Code to execute a reverse shell. Per those reports, the chain uses three innocuous steps - a package that refuses to run until initialized, an initialization command (python3 -m axiom init) that runs a script, and a DNS TXT record under attacker control that the script retrieves and executes - enabling an attacker to obtain a shell with the developer's privileges.
They Taught Themselves to Hack