Mozilla's Zero Day Investigative Network (0DIN) demonstrated a proof-of-concept causing Anthropic's Claude Code to execute a reverse shell via a seemingly clean GitHub repository. The chain uses three innocuous steps: a Python package that refuses to run until initialized, an initialization command (python3 -m axiom init) that runs a script, and a DNS TXT record under attacker control that the script retrieves and executes, enabling an attacker to obtain a developer-privileged shell with no malicious code present in the repo. 0DIN researchers described the result: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw." The chain exploits automated error recovery, trust in developer-supplied initialization instructions, and out-of-band configuration retrieval via DNS or remote config. No malicious code appears in the cloned repository, placing the payload outside traditional supply-chain scanning. 0DIN recommends that AI agents disclose the full execution chain of any setup commands.