Trust and automation are key to many attacks; and trust with automation is inherent in the use of AI coding agents.
Malicious repositories are a frequent factor in many supply chain attacks, estimated at between 20% and 40%. Such repositories can be used to fool a developer using an AI coding agent into generating bad code that can silently slip into the CI pipeline. That is just one possibility of the SymJack attack described by Adversa AI.
The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer’s use of an AI coding tool.
Adversa has named the attack SymJack, because it hijacks a symlink within the code development process, renames it to something that looks innocuous but redirects to the malicious MCP, and builds the attacker’s instruction into the finished code.
The attack chain starts with an attacker’s control of the coding agent’s repo, and the project instruction file it contains. That file is made malicious but is used and trusted by the coding agent.
In SymJack, a malicious symlink is renamed to appear innocuous. A cp command can be used to automatically insert the attacker’s payload hidden within the disguised symlink, into the agent’s own configuration settings. This payload registers the malicious MCP server, where the startup command runs whatever the attacker wishes.
Adversa summarizes, “The developer sees one request: copy this [innocuous looking] file to that documentation folder. They approve it. Nothing on screen mentions the config directory, the MCP file, or executable content. On the next restart, the planted server spawns, and the attacker’s code runs as the user, unsandboxed. In a real attack it can steal SSH keys, cloud tokens, and browser sessions, or even destroy production assets before the developer types another word.”
If the attack targets the CI, the blast radius can be magnified with no further user interaction. CI runners already contain the necessary secrets for operation. “A single malicious pull request can exfiltrate all of them before any human reviews the change,” comments the Adversa report. “That is a supply chain attack with a coding agent as the delivery mechanism.”
Adversa’s proof of concept is available in GitHub.
This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on.
Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.
But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.
Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.
Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay
Related: AI Coding Agents Could Fuel Next Supply Chain Crisis
Related: Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking
Related: Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited
Related: 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
