Imagine cloning a perfectly innocent GitHub repo, following the setup steps, and—poof—your machine hands an attacker the keys. That’s the prank (okay, attack) Mozilla’s Zero Day Investigative Network showed can happen when an AI coding assistant automates setup without asking enough questions.

How the trick works

The clever bit is social engineering for machines: every piece on its own looks harmless, but together they make a stealthy trap. In plain language, here’s the chain:

  • A neat, ordinary GitHub repo with typical install and init steps (think pip installs and a one-line initialize command).
  • The package refuses to run until you perform initialization and prints an error telling you exactly which command to run. The AI agent—behavior designed to be helpful—treats that instruction like an obvious fix and runs it automatically.
  • The init command kicks off a shell script that fetches a value from a DNS TXT record the attacker controls and then executes that fetched value as a command.

Put together: no malicious files in the repo, no blatant exploit, and no suspicious prompts. The agent simply tries to be helpful and follows the startup script’s guidance, which is exactly what the attacker banks on.

Why this is scary (and what to do)

If the stunt succeeds, the attacker winds up with an interactive shell running as the developer. That means they can read environment variables, swipe API keys, poke through local configs, and try to make themselves sticky on the machine. The researchers summed it up like this: the agent didn’t decide to spawn a shell — it decided to fix an error, and the shell happened several indirections away.

This is still a proof-of-concept, but it’s low-effort to mass-distribute via fake job repos, tutorials, DMs or blog posts. To avoid becoming the punchline of someone’s exploit demo, consider these practical defenses:

  • Don’t let agents auto-execute suggested setup commands. Require explicit human approval for init or install commands.
  • Log and show the full execution chain: every script and any code fetched dynamically at runtime should be visible before it runs.
  • Run unfamiliar repos in strict sandboxes or disposable VMs so any fetched commands can’t reach your secrets.
  • Treat external configuration channels (like DNS TXT) as untrusted input and block or inspect commands sourced that way.
  • Build simple guards in automation: flag any runtime command that comes from network-fetched text or non-repo sources.

Finally, name-and-shame aside, the takeaway is practical: AI assistants are helpful, but sometimes too eager. Teach them to ask for a cup of human common sense before they go running shell scripts on your laptop.