Claude Code Auto-Runs DNS-Fetched Setup Scripts: Mozilla 0DIN's Disclosure and the Real Cost of AI Coding Agent Trust

What the Attack Looks Like

Security researchers disclosed on Mozilla's 0DIN GenAI bounty platform a new supply-chain pattern targeting AI coding agents. The mechanism: a normal-looking GitHub repository ships with a setup script that, at install time, performs a DNS lookup to fetch its actual payload. The malicious bytes are never visible in the repo. Code scanners, code reviewers, and AI agents inspecting the repo all see clean code.

The reported chain: a developer points Claude Code at the repo. Claude Code attempts setup, encounters a routine error, and — per its standard recovery behavior — runs the setup script to resolve it. The script does its DNS query, executes the returned payload, and opens a reverse shell. The attacker now has the developer's API keys, login credentials, and persistent access. None of this is visible in the repo's git history.

Why Claude Code Specifically

The attack works because AI coding agents have permission to execute commands as part of normal operation. Unlike a human reading a setup script, an agent's instinct is "the install failed, let me try the documented recovery step." That recovery step is the trap.

Researchers recommend two mitigations: agents should surface setup script contents to the developer before running them, and developers should treat any third-party setup instructions as untrusted code by default. Both shift cost — the first onto the agent vendor; the second onto the developer's workflow.

Cost of a Successful Compromise

Once an attacker has API keys and reverse-shell access on a developer's machine:

The asymmetry: attacker cost to plant the trap is near zero. Developer cost to detect it before execution is "read every setup script carefully," which AI coding agents were specifically supposed to eliminate.

Defensive Posture for AI-First Teams

Three concrete moves that change the threat model without breaking the workflow:

1. Sandbox agent execution. Run Claude Code inside a fresh container or VM for unfamiliar repos. Cursor's cloud agents (in isolated VMs by default) and devcontainer-based workflows are structurally protected from local API key exfiltration. The cost: 30-90 second VM spin-up. The savings: every successful compromise prevented.

2. Tier API keys by scope. The Anthropic API key Claude Code uses for daily work should not be the same key with billing access. The OpenAI key should not be the same as the org admin key. A leaked development-scope key costs you a token burn; a leaked admin key costs you an org.

3. Spend caps as containment. Anthropic's Claude apps gateway (released the same day as this disclosure) supports per-user daily spend caps. A $50/day cap means a leaked key burns $50 before it gets cut off — not $5,000. Same logic on Bedrock IAM policies and Vertex AI quotas.

The Industry Pattern

This is the third significant AI-coding supply-chain attack disclosed in 2026, after the Sentry MCP agentjacking incident and the typescript+5.9.2.patch base64 payload targeting Rust crate maintainers. The pattern is consistent: attackers move from "ship malicious code that humans review" to "ship benign code that AI agents execute."

The cost of AI coding is no longer just the token bill. It includes the implicit insurance premium on agent-executed code. Teams treating that premium as zero will eventually pay it as a one-time loss instead of a steady operating cost. The math heavily favors paying it as steady cost — through sandboxing, scoped credentials, and spend caps.