Prompt Injection in Git Repos Can Turn Claude Code Into a Reverse Shell Launcher
Malicious instructions buried in a repository's files can hijack Anthropic's Claude Code agent and open a backdoor on the developer's own machine — no obvious malware required.
The attack surface here is deceptively small. A developer clones what looks like a clean repository. Claude Code, Anthropic's agentic coding assistant, reads the project files as context. Hidden inside those files — a README, a config stub, a comment block — sits a prompt injection payload telling the model to spawn a reverse shell. The developer never runs a suspicious binary. Claude does the work for them.
This is not a vulnerability in the classical sense. No CVE exists for a model following instructions it was given. The problem is architectural: agentic AI tools that read arbitrary file content and execute system commands inherit the trust level of whatever they read.
Reverse shells are blunt instruments. Once established, an attacker gets an interactive terminal on the victim machine, operating under the developer's own credentials. From there: lateral movement, secrets theft from environment variables, access to cloud provider tokens sitting in ~/.aws or ~/.config. The blast radius scales with whatever access the developer already has.
The repository itself need not be overtly hostile. A typosquatted open-source project, a dependency pulled in transitively, a shared internal template — any of these can carry the payload. The injection text is invisible to a casual reader because it is written for the model, not for humans.
Anthropic has not, as of publication, issued a security advisory addressing this specific attack pattern. The FTC's authority over unfair or deceptive practices in consumer software gives it at least theoretical jurisdiction if AI coding tools marketed to consumers cause foreseeable harm through design choices — though no enforcement action has been filed here.
The broader pattern tracks with earlier prompt injection research against LLM agents. What changes with agentic tools is consequence: a chatbot that leaks a summary is annoying; an agent with shell access that follows injected instructions is a full compromise.
What affected users should do
Developers using Claude Code or comparable agentic assistants should treat any repository from an untrusted source as hostile input — not just hostile code. Review what file types the agent is permitted to read, and restrict shell-execution permissions where the tool supports it. Run agentic sessions inside a container or VM with no cloud credentials mounted. Audit environment variables before starting any AI-assisted coding session on a new codebase.
