Researchers say attackers can abuse trusted-looking project files in code repositories to make AI coding agents install attacker-controlled components and run malicious code on a developer's machine or in continuous integration (CI) systems. Adversa's 'SymJack' technique uses disguised symbolic links (symlinks) and a copy command to silently register a malicious Model Context Protocol (MCP) server; the firm says it worked against Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub Copilot CLI, and published a proof of concept on GitHub. Anthropic reportedly hardened Claude Code to resolve symlinks before approval and show the true destination path.
Why it matters: Teams using AI coding agents could unknowingly approve changes that steal SSH keys, cloud tokens, browser sessions, or CI secrets and then push malicious code downstream. This is urgent for developers and DevOps teams using agentic coding tools: review repository trust assumptions, restrict or audit MCP server registration, scrutinize file-copy prompts, and apply vendor mitigations where available.
Kevin Townsend
2026.05.27
100% relevant
This article appears to be the initial reporting of the SymJack technique as a named, cross-vendor attack pattern with a public proof of concept and documented vendor responses.
← Back to all stories