Adversa summarizes, “The developer sees one request: copy this [innocuous looking] file to that documentation folder. They approve it. Nothing on screen mentions the config directory, the MCP file, or executable content. On the next restart, the planted server spawns, and the attacker’s code runs as the user, unsandboxed. In a real attack it can steal SSH keys, cloud tokens, and browser sessions, or even destroy production assets before the developer types another word.”If the attack targets the CI, the blast radius can be magnified with no further user interaction. CI runners already contain the necessary secrets for operation. “A single malicious pull request can exfiltrate all of them before any human reviews the change,” comments the Adversa report. “That is a supply chain attack with a coding agent as the delivery mechanism.”Adversa’s proof of concept is available inGitHub.This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on.Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
If the attack targets the CI, the blast radius can be magnified with no further user interaction. CI runners already contain the necessary secrets for operation. “A single malicious pull request can exfiltrate all of them before any human reviews the change,” comments the Adversa report. “That is a supply chain attack with a coding agent as the delivery mechanism.”Adversa’s proof of concept is available inGitHub.This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on.Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Adversa’s proof of concept is available inGitHub.This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on.Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
This is not a bug within the coding agents. Agents simply follow the instructions given to them. SymJack could be stopped in its tracks by the user’s refusal to accept a specific cp in the coding process. But why should they? They see nothing that looks concerning. The very purpose of using a coding agent is to increase the speed of development; so human nature and the growing trust in automation predisposes them to accept and rapidly move on.Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Adversa checked its methodology within five major coding agents (Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub’s Copilot CLI) and found it worked in all cases. The firm reported the issue to all five companies. At the time of writing, xAI and GitHub had not responded; Google rejected the report because explicit approval by the user is considered to be intended behavior; Cursor declined, saying they already knew about the issue; and Anthropic rejected the issue as out of scope.But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
But despite its initial rejection, Anthropic quietly hardened Claude Code a few weeks later. “The hardened version of Claude Code now resolves symlinks before it asks for approval and shows the real destination path in the prompt.” That’s a good start. Persuading users to consider before acting could help stop a SymJack attack and would be simple enough for other coding agents to implement.Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Discovery of such trust issue weaknesses such as SymJack is likely to increase – it is the natural result of too much trust being applied to too much automation. Trust and automation have become essential to modern business, and both stem from the need for speed to provide ROI and maintain or improve competitiveness.Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Related:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Related:Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP HijackingRelated:Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be ExploitedRelated:1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Source: SecurityWeek
