◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-05-29

SymJack — Symlink-Hijack Attack Silently Installs Malicious MCP Servers via Disguised Approval Prompts in 6 AI Coding Agents

VulnerabilityHigh impactGlobal
Technical description
Adversa AI disclosed SymJack, a new agentic attack class in which a malicious repository contains a disguised symlink renamed to appear innocuous. A cp command is used to silently insert a payload into the agent's configuration, registering a malicious MCP server. The developer's approval prompt shows only an innocent-looking file copy request — no mention of config directories or executable content. On next agent restart, the planted server spawns and runs attacker code as the user, unsandboxed. The attack was confirmed against Claude Code, Cursor, Gemini CLI (Antigravity CLI), GitHub Copilot CLI, and Grok Build CLI.
Attack vector
Attacker controls a coding agent repository (or a dependency repository). A specially crafted instruction file contains a cp command that resolves a disguised symlink into the agent's MCP configuration directory. The developer approves the innocuous-looking request; the agent installs the malicious MCP server configuration without further prompts. On CI pipelines, the blast radius extends to all secrets, tokens, and OIDC credentials accessible to the runner — enabling a supply chain attack with no further user interaction.
Affected systems
All five major AI coding agent CLIs confirmed affected at time of disclosure: Claude Code (Anthropic), Cursor Agent CLI, Gemini CLI / Antigravity CLI (Google), GitHub Copilot CLI, Grok Build CLI (xAI). Anthropic subsequently hardened Claude Code to resolve symlinks before displaying the approval prompt. Cursor, Google, xAI, and GitHub had not fully remediated at time of SecurityWeek coverage.
Mitigation
For Claude Code: update to the version that resolves symlinks before approval prompts. For all other agents: treat every cp or file-move command in agent-generated instructions as potentially dangerous and inspect the real destination path before approving. Organizations should require signed tool manifests and restrict agent access to configuration directories. CI pipelines should run in isolated environments with minimal secret access.
Sources
Adversa AI — The approval prompt is lying: a critical coding agent security flaw (SymJack)SecurityWeek — SymJack Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →