{"slug": "new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned", "title": "New attack exploits Claude Code to hijack developer machines through poisoned repositories", "summary": "Mozilla's 0Din security team demonstrated a new attack that exploits Claude Code, Anthropic's AI coding assistant, by embedding malicious prompts in Git repositories. When developers open a poisoned repository, Claude Code executes hidden commands that spawn a reverse shell, giving attackers remote access to the machine without any traditional malware. The attack highlights a growing risk of indirect prompt injection in AI-powered development tools.", "body_md": "# New attack exploits Claude Code to hijack developer machines through poisoned repositories\n\nMozilla's 0Din security team demonstrates how hidden prompts in Git repos can trick AI coding assistants into opening reverse shells\n\nHere’s a nightmare scenario for any developer who has embraced AI coding assistants: you clone a repository, open it with your AI tool, and without clicking anything suspicious or downloading any malware, an attacker now has remote access to your machine.\n\nThat’s exactly what Mozilla’s 0Din security researchers have demonstrated. The attack targets developers using Claude Code, Anthropic’s command-line AI coding assistant, by embedding indirect prompts into seemingly innocuous Git repositories. When Claude Code processes the repository’s contents, it interprets those hidden instructions and can be tricked into spawning a reverse shell, effectively handing control of the developer’s system to a remote attacker.\n\n## How the attack works\n\nAttackers embed malicious prompts directly into repository files, such as code comments, documentation, or configuration files. When a developer opens the project using Claude Code, the AI reads the repository contents as context for its operations. Because Claude Code has the ability to execute shell commands as part of its workflow, the embedded prompts can instruct it to run arbitrary commands on the developer’s machine. The end result is a reverse shell, a connection from the victim’s computer back to the attacker’s server that gives the attacker interactive access.\n\nThe critical detail here: no traditional malware is involved. No suspicious executables, no phishing links, no social engineering beyond the developer simply opening a project file. The AI assistant itself becomes the attack vector.\n\n## A pattern, not an isolated incident\n\nThis isn’t the first time AI coding tools have been weaponized. A related attack technique called Agentjacking uses fake Sentry error messages to manipulate tools like Claude Code. That approach achieved an 85% success rate across more than 100 organizations.\n\nThen there’s TrapDoor, a separate attack campaign identified in May 2026 that exploited AI configuration files to exfiltrate sensitive data. That one specifically targeted wallet information by hiding covert instructions in AI config files.\n\nThe through-line across all of these attacks is what security researchers call “indirect prompt injection.” Instead of attacking the AI model itself, attackers poison the data the model consumes.\n\n## What this means for developers and investors\n\nFor individual developers, the immediate takeaway is straightforward: treat any repository you don’t fully trust with the same caution you’d apply to downloading an unknown executable. AI coding assistants that can execute shell commands should be sandboxed or restricted when working with unfamiliar codebases.\n\nFor organizations, companies that have integrated AI coding tools into their development workflows now face a new category of supply chain risk. Every open-source dependency, every third-party repository, every code contribution from an external collaborator is a potential vector for indirect prompt injection. Security teams will need to develop new review processes specifically designed to catch embedded prompt attacks, something most code review tooling isn’t built for today.\n\nThe crypto-specific implications are worth noting separately. While this particular Claude Code attack doesn’t directly target digital assets, the TrapDoor campaign from May 2026 demonstrated that AI-based attacks can and will target wallet credentials and private keys. Developers working on crypto projects represent a high-value target set where a compromised developer machine in a DeFi project could constitute a significant financial exploit.\n\n**Disclosure:** This article was edited by Editorial Team. For more information on how we create and review content, see our\n\n[Editorial Policy](https://cryptobriefing.com/editorial-policy/).", "url": "https://wpnews.pro/news/new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned", "canonical_source": "https://cryptobriefing.com/claude-code-attack-hijacks-developer-machines/", "published_at": "2026-06-30 02:34:36+00:00", "updated_at": "2026-06-30 02:50:24.810932+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "large-language-models", "developer-tools"], "entities": ["Mozilla", "0Din", "Claude Code", "Anthropic", "Agentjacking", "TrapDoor"], "alternates": {"html": "https://wpnews.pro/news/new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned", "markdown": "https://wpnews.pro/news/new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned.md", "text": "https://wpnews.pro/news/new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned.txt", "jsonld": "https://wpnews.pro/news/new-attack-exploits-claude-code-to-hijack-developer-machines-through-poisoned.jsonld"}}