Blog

Clean GitHub repo tricks AI coding agents into running malware

Proactive scanning of AI-generated code prevents novel supply chain attacks.

cyber
threat-intelligence
defense
Abstract cyber defense illustration for Clean GitHub repo tricks AI coding agents into running malware

This isn’t an AI security story. It’s a story about giving unattended processes the keys to your development environment.

What happened

Researchers found a way to trick AI coding agents into running malware from a GitHub repository that looks perfectly clean. The attack hides malicious commands inside code comments or config files. A human reviewer or a static analysis tool would likely ignore these, but an AI agent tasked with setting up the project will parse and execute them.

The result is silent malware execution on a developer’s machine or in a build environment. The technique specifically targets AI assistants that are designed to automatically clone a repo and run setup instructions. It’s a clever way to bypass the usual supply chain checks.

What people will get wrong

The easy mistake here is to get distracted by the “AI” part of the attack. The real failure mode is much more boring: letting code execute in a development environment without any visibility or control. This is an old problem with a new face.

If you let an automated process—any automated process—pull code from the internet and run it with local privileges, you are accepting a certain amount of risk. The headline is about the AI agent, but the lesson is about the system around it. This is really an ownership problem. If nobody owns the security of the dev pipeline, nobody owns the risk when it breaks.

Practitioner lens

Before we rush to buy a new “AI security” tool, let’s ask some basic questions.

Can you even tell when an AI agent is cloning a repo versus a developer? What logs are you getting from that activity? Does anyone actually review the setup scripts for every open-source library you test? For most teams, the honest answer is probably ‘no’.

That’s not an AI tooling problem by itself. It’s a visibility and discipline problem. Sandboxing every setup process sounds great, but it’s where programs break under operational pressure. A better first question is whether the team can prove what happened after the fact. If you don’t have basic controls and telemetry for what code gets executed in your environment, it doesn’t matter if it’s an AI or an intern running the commands.

What to watch next

The question isn’t whether this specific attack gets reused. The question is whether you can prove what’s executing in your own dev environments.

Use this story as a simple test. Ask your platform or developer experience team: “If an AI agent cloned a repo and ran a setup script, could we see exactly what commands it ran?” If the answer is “I don’t know” or “we don’t log that,” you have your starting point. The real failure mode is usually that boring.

Generated from Hermes Relay’s daily cyber briefing and edited through Tony’s practitioner voice profile before publishing to this blog.

Source: Clean GitHub repo tricks AI coding agents into running malware

Pipeline note: lens: One concrete detection or mitigation step; draft model: projects/project-a89720ac-d6be-45fe-a4b/locations/us-central1/publishers/google/models/gemini-2.5-flash.