Adversa AI — Coding Agent RCE Roundup: SymJack, TrustFall, Copirate 365

AI relevance: An agentic coding gold rush has produced a cluster of high-impact RCE disclosures across major coding agents — SymJack (symlink-hijack across six tools), TrustFall (one-click RCE through regressed trust dialogs), and Copirate 365 (persistent Copilot backdoor presented at DEF CON) — demonstrating that AI coding agents remain a critical attack surface where trust boundaries are routinely violated.

Key disclosures

• SymJack — symlink-hijack RCE in six coding agents. Adversa AI demonstrated that a symlink-disguised file copy tricks AI coding assistants into remote code execution while the approval prompt misrepresents what is actually being approved. Six major tools were tested and all were vulnerable: Claude Code, Cursor, Antigravity, GitHub Copilot, Grok Build, and Codex.
• TrustFall — one-click RCE via regressed trust dialog. A second Adversa AI disclosure traces a regression in the Claude Code trust dialog combined with a settings-scope inconsistency that let a cloned repo run unsandboxed code with one keypress — and with no prompts at all on CI runners. These trust-dialog bugs keep resurfacing across the ecosystem.
• Copirate 365 at DEF CON — persistent Copilot backdoor. This DEF CON talk chains indirect prompt injection, render-based data exfiltration, delayed tool invocation, and memory poisoning into a persistent Microsoft Copilot backdoor (CVE-2026-24299). It is a textbook example of stacking small primitives into durable, long-term access.
• Microsoft Semantic Kernel RCE. Microsoft detailed two Semantic Kernel flaws where prompt injection reaches host-level remote code execution through a model-invokable function feeding a code/eval sink — "when prompts become shells."
• Gemini CLI supply-chain compromise. A walkthrough demonstrates escalation from an indirect prompt injection against the gemini-cli coding agent into a full supply-chain compromise of the developer environment, showing how one poisoned input can ripple into the build pipeline.

Why it matters

These are not isolated edge cases — they represent a systemic pattern across the entire coding agent ecosystem. SymJack proves that the approval UI itself is untrustworthy across every major vendor. TrustFall shows that even when vendors patch trust dialogs, regressions reintroduce the same class of vulnerability. Copirate 365 demonstrates that attackers are no longer looking for single exploits; they are chaining multiple primitives into persistent, hard-to-detect backdoors. The common thread: AI coding agents have been granted deep system access (filesystem, shell, CI pipelines) without correspondingly mature security boundaries.

What to do

• Treat the approval prompt as untrusted. SymJack proves the UI can misrepresent the actual operation being approved. Validate file operations at the filesystem level, not just the UI level.
• Enforce strict sandboxing for CI runners. TrustFall showed that CI runners can be exploited with zero prompts. Isolate CI environments and require explicit allowlists for code execution.
• Audit trust dialog regressions. Add automated regression tests specifically for trust/sandbox dialogs in coding agent updates — these have been repeatedly broken by feature changes.
• Monitor for chained primitives. Copirate 365-style attacks combine individually low-severity issues. Look for unusual sequences of indirect injections, delayed tool invocations, and memory modifications.

Sources

• Adversa AI — Top Agentic AI Security Resources (June 2026)
• Adversa AI — SymJack: The Approval Prompt Is Lying to You
• Adversa AI — TrustFall: One-Click RCE in Claude Code, Cursor, Gemini CLI, Copilot
• Embrace The Red — Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot
• Microsoft — When Prompts Become Shells: RCE in AI Agent Frameworks