Adversa SymJack — Symlink-Hijack RCE in AI Coding Agents

AI relevance: SymJack exploits the automation trust built into AI coding assistants — Claude Code, Cursor, Gemini CLI, Copilot CLI, Grok Build, and Antigravity — turning a simple file-copy approval into a pathway for unsandboxed remote code execution via symlink-hijacked MCP server registration.

Key findings

• Adversa AI named the attack SymJack: a symlink disguised as an innocuous file is renamed to look benign, but its target points to a malicious MCP server config.
• The agent sees a cp request like "copy this file to the docs folder" and the developer approves it — the prompt never mentions config directories, MCP files, or executable content.
• On the next agent restart, the planted MCP server spawns and runs attacker-supplied code as the developer user, unsandboxed.
• Against CI runners, the blast radius multiplies: secrets for deployment are already present, and a single malicious PR can exfiltrate them before any human reviews the change.
• All six tested agents were vulnerable: Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub Copilot CLI.
• Vendor responses were mixed: Anthropic quietly hardened Claude Code to resolve symlinks and show the real destination path in approval prompts; Cursor said they already knew; Google rejected the report; xAI and GitHub had not responded at time of publication.
• The attack is not a bug in the agents per se — it exploits the inherent tension between automation speed and human review.

Why it matters

SymJack turns AI coding agents into supply-chain delivery vehicles. The attack chain — malicious repo control → symlink disguise → MCP server injection → unsandboxed execution — requires no CVE, no exploit code, and no user mistake beyond approving what looks like a routine file copy. As coding agents become standard in developer workflows and CI pipelines, the attack surface for supply-chain compromise scales with adoption. The fact that Anthropic's silent fix (resolving symlinks before asking for approval) worked suggests this class of attacks can be mitigated with better transparency in approval prompts.

What to do

• Update to the latest version of your coding agent and check whether it resolves symlinks before presenting approval prompts.
• Review approval prompts critically — if a file operation references config directories or hidden paths, reject and investigate.
• Restrict MCP server registration to allowlisted servers in CI environments.
• Audit coding agent repos in your organization for unexpected symlink files or MCP config changes.

Sources

• Adversa AI — The Approval Prompt Is Lying to You (SymJack)
• SecurityWeek — SymJack Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
• Adversa AI SymJack PoC on GitHub
• Adversa AI — Top Agentic AI Security Resources, June 2026