Artificial Intelligence ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems Malicious repositories and disguised symlinks can trick AI coding agents into silently installing attacker-controlled MCP servers capable of stealing secrets, compromising CI pipelines, and deploying malicious code. By Kevin Townsend | May 27, 2026 (6:15 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Trust and automation are key to many attacks; and trust with automation is inherent in the use of AI coding agents. Malicious repositories are a frequent factor in many supply chain attacks, estimated at between 20% and 40%. Such repositories can be used to fool a developer using an AI coding agent into generating bad code that can silently slip into the CI pipeline. That is just one possibility of the SymJack attack described by Adversa AI. The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer’s use of an AI coding tool. Adversa has named the attack SymJack, because it hijacks a symlink within the code development process, renames it to something that looks innocuous but redirects to the malicious MCP, and builds the attacker’s instruction into the finished code. The attack chain starts with an attacker’s control of the coding agent’s repo, and the project instruction file it contains. That file is made malicious but is used and trusted by the coding agent. In SymJack, a malicious symlink is renamed to appear innocuous. A cp command can be used to automatically insert the attacker’s payload hidden within the disguised symlink, into the agent’s own configuration settings. This payload registers the malicious MCP server, where the startup command runs whatever the attacker wishes. Advertisement. Scroll to continue reading. Adversa summarizes, “The developer sees one request: copy this [innocuous looking] file to that documentation folder. They approve it. Nothing on screen mentions the config directory, the MCP file, or executable content. On the next restart, the planted server spawns, and the attacker’s code runs as the user, unsandboxed. In a real attack it can steal SSH keys, cloud tokens, and browser sessions, or even destroy production assets before the developer types another word.” If the attack targets the CI, the blast radius can be magnified with no further user interaction. CI runners already contain the necessary secrets for operation. “A single malicious pull request can exfiltrate all of them before any human reviews the change,” comments the Adversa report. “That is a supply chain attack with a coding agent as the delivery mechanism.” Adversa’s proof of concept is available in GitHub . This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on. Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope. But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement. Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness. Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay Related : AI Coding Agents Could Fuel Next Supply Chain Crisis Related : Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking Related : Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited Related : 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Latest News GlassWorm Botnet Disrupted LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day Anthropic Releases New Claude Sandbox, Security Guidance Plugin AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security Iranian APT Targets Aviation, Software Companies With Updated Tools 185,000 Likely Impacted by 7-Eleven Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Joe Chen has become Chief Technology Officer at Trellix. Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO. SecureAuth has named Mark van Oppen as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email