How does the critical vulnerability discovered in the Claude Code tool put developers’ devices at risk? Here are the details and warnings from experts.
Mozilla’s 0din team has demonstrated how the Claude Code tool can be manipulated to open a closed reverse shell on developer devices. This vulnerability allows the system to be compromised even if there is no malicious code in the project.
The attack process is triggered by Claude Code’s request to help, following the instructions of a seemingly harmless Markdown document. The tool thinks it is performing a routine error correction process and actually executes a command under the attacker’s control.
How did a routine staff glitch become an entry point?
The attack begins with a document describing the installation of a common monitoring tool called Axiom, and the flaw notification that appears when the tool is not started serves as a trap. Claude Code automatically runs the installation command in this defect report and activates the shell script hidden in the background of the command.
This script queries an attacker-controlled DNS text record and silently executes a base64-encoded violating shell command. After this stage, the attacker can gain permanent access to the system by adding an SSH key or scheduling an implicit cron job.
Sharing a single repository relationship can put the devices of all developers who open that relationship at risk. This shows that developers should always be wary of repositories they do not know.
Why are standard security tools inadequate?
Antivirus software and firewalls cannot detect this situation because each step of the attack does not look suspicious on its own. Static code scanning tools see only a routine DNS query, and network monitoring systems detect nothing more than a regular domain name resolution.
The 0din group emphasizes that coding tools should check in advance which script will actually run. Such systems, built on large language models, exhibit significant vulnerability to indirect injection of commands.
In order to prevent such attacks in the future, tools must be able to meaningfully evaluate what triggers commands. Currently, being careful when using unknown automation tools is the best protection technique for developers.
What do you think about the security of these types of artificial intelligence-based coding tools?