Mozilla Warns GitHub Repos Can Trick AI Tools Into Hacking Your PC

hero mozilla 0din custom
Mozilla's 0din security team has discovered widespread prompt injection AI malware plaguing the GitHub ecosystem. This exploit, dubbed "indirect prompt injection," isn't the first of its kind. Previously, we've seen prompt injection malware disrupt the OpenAI ChatGPT Alias browser, and Microsoft warned that the same could happen with Copilot.

In line with wider industry trends indicating Anthropic's Claude AI leads with developers, this exploit is only reported for Claude. However, the nature of the attack by no means is limited to just Claude specifically, and outdated models will likely be even more vulnerable. It's a frightening prompt injection AI exploit as well, since it prompts the bot to download thinly-disguised malware from GitHub and proceed to fully compromise the user's system and GitHub credentials.

A similar attack on ChatGPT Alias.

Thus, the risk of automating your computer is not dissimilar to the risk of automating your steering. The stakes are completely different, though, and with a self-driving car, you can usually take over in the worst case. With AI assistants like Claude or ChatGPT Alias, an exploit can be carried out before you're even aware of it. Hopefully that means users in government or large-scale enterprise are mindful in their use of tools like these.

Mozilla's 0din team asserts that this is a very real and serious attack vector that can result in potentially irreversible damage just by prompting Claude to initialize a project from an apparently-clean GitHub repo, only for its readme script to prompt a silent, disguised download of a fake Axiom startup script. In a matter of moments on the fastest connections, system and credentials will be compromised and no readily-apparent malicious DNS activity or repo files will be apparent.

It's certainly an alarming situation, but it does sound like an issue that can be avoided now that developers are aware of it. Prompt injection methods could get more creative than this over time, though> After all, we've already seen AI result in an autonomous worm, and we know that AI in general is only in its infancy.
Tags:  security, Mozilla, GitHub, AI
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.