New Delhi, June 28 -- SAN FRANCISCO - The repository contained no malicious code. Not a single line. A researcher from Mozilla's Zero Day Investigative Network cloned it, opened Claude Code to help set up the project, and watched as the agent encountered a package initialization error and - helpfully - ran a recovery command. That command called an attacker-controlled shell script. The shell script queried a DNS TXT record. The developer's machine had a reverse shell, and the repository still contained nothing detectable as malware.

they read instructions and act on them. Every major AI coding tool - Claude Code, Cursor, GitHub Copilot, Gemini CLI - is vulnerable to some version of this. The attack surface is every developer who uses one...