Mozilla’s 0DIN showed how an AI coding agent can be led from a normal-looking GitHub setup flow into running a DNS-fetched reverse shell. The proof of concept is a warning for teams letting agents install, initialize, and debug unfamiliar projects on developer machines.
GitHub Code Quality becomes a paid product on July 20, adding a $10-per-active-committer license, GitHub AI Credits for AI-powered checks, and GitHub Actions minutes for CodeQL scans. Teams using the free preview should audit enabled repositories, active committers, Actions usage, AI review behavior, and merge-blocking rules before billing starts.