Clean-looking GitHub repo tricks AI coding agents into executing a hidden payload
Researchers demonstrated an attack where a GitHub repository that scans clean to security tools, human reviewers, and the agent itself causes an agentic coding tool to execute a malicious payload during a routine clone-and-set-up task. The novelty is the target: the malware never ships in a published package, it weaponizes the trust an autonomous coding agent places in "just set this repo up" — README, config, and setup-hook content the agent reads and acts on, but a dependency scan never inspects. If your team points Claude Code, Cursor, Amazon Q or similar at untrusted repos, treat agent-initiated shell execution as an untrusted-input boundary: sandbox the clone and don't let an agent run setup scripts from a repo you haven't reviewed yourself.