Mozilla Warns GitHub Repos Can Trick AI Tools Into Hacking Your PC
In line with wider industry trends indicating Anthropic's Claude AI leads with developers, this exploit is only reported for Claude. However, the nature of the attack by no means is limited to just Claude specifically, and outdated models will likely be even more vulnerable. It's a frightening prompt injection AI exploit as well, since it prompts the bot to download thinly-disguised malware from GitHub and proceed to fully compromise the user's system and GitHub credentials.
A similar attack on ChatGPT Alias.π¨ JAILBREAK ALERT π¨
— Pliny the Liberator πσ «σ Όσ Ώσ σ ΅σ σ σ Όσ Ήσ Ύσ σ (@elder_plinius) October 22, 2025
OPENAI: PWNED π
ATLAS-BROWSER: LIBERATED π
WOW! There's a new AI browser on the block! Has some hefty guardrails in play, but the browser surface area is vast π
First, I started with a good ol' LSD jailbreak, which was cool to see that the GPT-5 prompt… pic.twitter.com/wD3sI26XJx
Thus, the risk of automating your computer is not dissimilar to the risk of automating your steering. The stakes are completely different, though, and with a self-driving car, you can usually take over in the worst case. With AI assistants like Claude or ChatGPT Alias, an exploit can be carried out before you're even aware of it. Hopefully that means users in government or large-scale enterprise are mindful in their use of tools like these.
Mozilla's 0din team asserts that this is a very real and serious attack vector that can result in potentially irreversible damage just by prompting Claude to initialize a project from an apparently-clean GitHub repo, only for its readme script to prompt a silent, disguised download of a fake Axiom startup script. In a matter of moments on the fastest connections, system and credentials will be compromised and no readily-apparent malicious DNS activity or repo files will be apparent.
It's certainly an alarming situation, but it does sound like an issue that can be avoided now that developers are aware of it. Prompt injection methods could get more creative than this over time, though> After all, we've already seen AI result in an autonomous worm, and we know that AI in general is only in its infancy.
