Security researcher Rony Utevsky from Adversa AI has disclosed SymJack — a single attack pattern that achieves remote code execution through five of the most widely used AI coding assistants: Claude Code, Gemini CLI/Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, and Grok Build CLI. The exploit turns the human approval step — the one thing these tools lean on for safety — into pure theatre. You approve what the screen shows. The kernel writes somewhere else.
🔍 THE BOTTOM LINE
Every major AI coding agent shares a fundamental design flaw: approval prompts show the literal command, not what it actually does. SymJack exploits this with a symlink, and most vendors aren’t fixing it.
How SymJack Works
The attack is elegantly simple and devastatingly effective. Three steps, one approval click:
-
The instructions. Every major coding assistant auto-reads a project instructions file on startup —
CLAUDE.md,AGENTS.md,GEMINI.md, etc. The agent treats it as trusted guidance. If you cloned a malicious repo, the attacker controls that file. The instructions ask the agent to copy a media file from one folder to another. Routine housekeeping. Nothing looks dangerous. -
The disguised write. The instructions tell the agent to use a raw shell
cpcommand rather than the agent’s native file-writing tools. The native tools have guardrails that flag sensitive paths. A rawcpslips right past them, because the permission prompt inspects the command text, not the real effect. Copying a file named like a video looks innocent. -
The symlink. The “destination” of the copy isn’t a real file — it’s a symbolic link committed into the repo, pointing at the agent’s own configuration file. When you approve the copy and the system runs it, the kernel follows the link and writes the attacker’s payload straight into the config. That payload is a JSON config file dressed up with a
.mp4extension. It registers a malicious MCP server whose startup command runs whatever the attacker wants.
On next restart, the planted server spawns. The attacker’s code runs as you, unsandboxed. SSH keys, cloud tokens, browser sessions — all exfiltrated before you type another word.
What is SymJack? SymJack (symlink hijack) is a class of attack that exploits symbolic links in file systems to trick AI coding agents into overwriting their own configuration. The user sees a request to copy a harmless file; the kernel resolves the symlink and writes the attacker’s payload into the agent’s config, achieving remote code execution on restart. It works because approval prompts display the literal command, not the resolved destination.
One Flaw, Five Products
Adversa AI confirmed the same chain works against all five products. This isn’t five separate bugs — it’s a category-wide design assumption that doesn’t hold.
The shared assumption: showing a prompt equals obtaining informed consent. It doesn’t. Informed consent requires an accurate picture of what the action actually does, and enough context to judge whether it’s safe. At the time of testing, only Claude Code (after a recent update) showed the user where a file write would actually land once symlinks resolved.
All five vendors made the same four design choices:
- Auto-ingest project instruction files as trusted input
- Expose a raw shell that sidesteps native tool guardrails
- Render approval prompts against the literal command string, not the resolved effect
- Load and run MCP servers from config on startup
Any agent built on those four choices is exposed. Including products that haven’t shipped yet.
CI Runners: Zero Clicks, Maximum Damage
On a developer laptop, the attack needs one approval click. On CI runners, it often needs none.
Continuous integration runners commonly auto-trust their workspace and run agents in non-interactive modes that approve tool calls automatically. Drop the same CLAUDE.md, payload files, and symlinks into a pull request, and the moment a coding agent runs against that branch, the chain executes end to end with no operator present.
The blast radius is worse than on a laptop. CI runners hold deploy keys, signing material, cloud credentials, and registry tokens. A single malicious pull request can exfiltrate all of them before any human reviews the change. That’s a supply chain attack with a coding agent as the delivery mechanism.
Vendor Responses: A Study in Denial
The vendor responses are… illuminating:
| Vendor | Product | Status |
|---|---|---|
| Anthropic | Claude Code | Report rejected as out of scope. But approval flow was quietly hardened — now shows the resolved path after a symlink. Fixed in practice, denied on paper. |
| Gemini CLI / Antigravity CLI | Declined. Classed as “single-user self-attack.” Explicit approval treated as intended behavior. | |
| Cursor | Cursor Agent CLI | Declined as a duplicate of an existing symlink report. |
| xAI | Grok Build CLI | Awaiting response. |
| GitHub | Copilot CLI | Awaiting response. |
Anthropic’s response is the most telling. HackerOne triage closed the report as out of scope, citing the program’s carve-out for symlinks and aliased commands used to bypass permission prompts. But then the shipping product changed. Claude Code now resolves symlinks before asking for approval and shows the real destination path. The report was rejected on paper and fixed in practice.
Google’s dismissal — calling it a “single-user self-attack” — echoes how the security industry initially dismissed ClickFix attacks. Those are now recognised as some of the most common and dangerous attack vectors. When you clone a repo and point an AI agent at it, you’re not attacking yourself. You’re being attacked by whoever controls that repo.
This Is Adversa AI’s Second Hit
SymJack isn’t the first time Adversa AI has pulled this thread. In early May, they published TrustFall — showing that the same four CLIs execute project-defined MCP servers the moment a developer accepts the folder trust prompt. TrustFall relied on a repo shipping a populated config that the trust dialog fails to display.
SymJack raises the bar further: config files are empty, and malicious settings are added after the trust prompt using the victim’s own approved file copy. The attack chain is harder to spot and harder to defend against.
What Needs to Change
Adversa AI outlines clear fixes:
- Resolve symlinks before any permission decision, on every file-writing path, including shell commands
- Treat shell file operations (
cp,mv,tee, redirections) as first-class writes subject to the same path-sensitivity checks as native tools - Show the canonical destination in the approval prompt, not the literal argument string — this is the single highest-value fix, and the one Anthropic already shipped
- Block sensitive config keys that enable MCP execution from being set by project-scoped files
- Surface which instruction-file rules fired during startup, so a hidden directive can’t run silently
Until vendors implement these changes, organisations need runtime protection: real-time policy enforcement, behavioral monitoring, identity and access governance, and kill-switch controls that don’t depend on the agent being honest about its own actions.
The Bigger Picture
This is the uncomfortable truth about the AI coding agent gold rush: the security model was an afterthought. Every major product leaned on the same crutch — “the human approves it” — without checking whether the human has enough information to make that approval meaningful. SymJack proves they don’t.
We’ve been tracking AI coding agent security since our coverage of Anthropic’s Project Glasswing discovering 10,000+ vulnerabilities and the Mythos cybersecurity frontier. SymJack is the flip side: it’s not AI finding your bugs, it’s AI being the bug. The tools millions of developers trust to write secure code can’t even secure their own config files.
The coding agent market is growing faster than its security model can keep up. If you’re using any of these tools — and let’s be honest, most of us are — treat every unfamiliar repository as hostile territory until vendors fix this properly. And don’t assume your approval click means what you think it means.
❓ Frequently Asked Questions
Q: Am I vulnerable right now? If you use Claude Code, Gemini CLI, Cursor, Copilot CLI, or Grok Build CLI and you’ve ever cloned an unfamiliar repo and pointed the agent at it — yes, potentially. Claude Code’s latest version shows the resolved path, which helps. The others do not.
Q: What should I do immediately?
Check your agent’s config files (.mcp.json, settings files) for unexpected MCP server entries. Avoid approving file-copy commands from repos you don’t fully trust. On CI runners, never auto-trust workspaces. Audit what your runners are actually executing.
Q: What does this mean for NZ developers? NZ’s growing tech sector relies heavily on overseas-contributed open source. Any developer here using AI coding agents against community repos is exposed to the same risk. If your organisation runs CI pipelines with auto-trusted coding agents, a single malicious PR could compromise your entire deployment chain.
