Security researchers at Adversa AI have uncovered a novel attack technique called SymJack that weaponizes AI coding agents to silently inject malicious code into software pipelines. The attack works by disguising a malicious symlink as an innocuous file, tricking developers into approving a simple copy command that secretly registers a rogue MCP server in the agent's configuration. On the next restart, the attacker's code runs unsandboxed — capable of stealing SSH keys, cloud tokens, and browser sessions.
Adversa tested SymJack across five major coding agents — Claude Code, Gemini CLI, Cursor, Grok Build, and GitHub Copilot CLI — and it worked on all of them. While most vendors dismissed the report, Anthropic quietly hardened Claude Code to resolve symlinks before requesting user approval. The attack isn't a software bug; it exploits developer trust in automation itself.
Source: SecurityWeek