TL;DR — A malicious GitHub repo can own your machine the moment an AI coding
agent touches it, without a single line of malware in the repo. The payload
lives in a DNS TXT record and is pulled at runtime, so scanners, code review, and
the agent itself never see it. Below is the attack in plain terms and a small,
fail-safe PreToolUse hook that blocks the two actions the attack depends on —
while leaving your own repos untouched.
Reported by 0DIN (Mozilla's GenAI bug bounty), write-up via