Adversa AI — SymJack symlink-to-RCE via AI coding agents
AI relevance: SymJack exploits the inherent trust developers place in AI coding agents, turning them into automated supply-chain delivery systems that install malicious MCP servers and exfiltrate credentials without visible indicators.
What happened
Adversa AI published research demonstrating an attack — branded SymJack — that weaponizes AI coding assistants (Claude Code, Cursor, Gemini CLI, Copilot CLI, Grok Build) through malicious git repositories containing disguised symlinks.
- An attacker-controlled repo contains a project instruction file that instructs the AI coding agent to perform a benign-looking copy operation.
- The symlink is renamed to appear innocuous but resolves to a hidden MCP server configuration dropped into the agent's own settings directory.
- On next agent restart, the planted MCP server spawns unsandboxed, running arbitrary code as the developer user.
- The attack can steal SSH keys, cloud tokens, browser sessions, or destroy production assets.
- If the compromised repo is part of CI, the blast radius scales to the CI runner's secrets with no further user interaction.
- The technique was validated against five major coding agents and worked across all of them.
- Anthropic hardened Claude Code after initial rejection — it now resolves symlinks before approval prompts and shows the real destination path.
- Google rejected the report (explicit user approval = intended behavior); Cursor declined (already aware); xAI and GitHub had not responded at time of writing.
Why it matters
SymJack is not a software bug — it exploits the human tendency to approve automation quickly. As coding agents become standard developer tooling, the gap between what a user thinks they're approving and what actually executes widens. This is the same class of social-automation trust problem seen in OAuth consent phishing, but now weaponized through AI agent workflows.
What to do
- Configure coding agents to resolve and display symlink destinations before presenting approval prompts.
- Audit MCP server configurations in agent settings directories (~/.claude, .cursorrules, CLAUDE.md) for unexpected entries.
- Review CI pipeline permissions — runners should use short-lived, least-privilege credentials.
- Treat external repos used with AI coding agents as untrusted until the symlink resolution behavior is addressed vendor-wide.