SymJack Attack: A New Threat to Supply Chain Security
Trust and automation are key to many attacks, and the use of AI coding agents is no exception. A new attack, dubbed SymJack, has been discovered by Adversa AI, which exploits the trust and automation inherent in AI coding agents to deliver supply chain attacks.
The SymJack attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer's use of an AI coding tool. The attack chain starts with an attacker's control of the coding agent's repo, and the project instruction file it contains. The file is made malicious but is used and trusted by the coding agent.
How the SymJack Attack Works
In the SymJack attack, a malicious symlink is renamed to appear innocuous. A cp command can be used to automatically insert the attacker's payload hidden within the disguised symlink, into the agent's own configuration settings. This payload registers the malicious MCP server, where the startup command runs whatever the attacker wishes.
According to Adversa, "The developer sees one request: copy this [innocuous looking] file to that documentation folder. They approve it. Nothing on screen mentions the config directory, the MCP file, or executable content. On the next restart, the planted server spawns, and the attacker's code runs as the user, unsandboxed."
The attack can steal SSH keys, cloud tokens, and browser sessions, or even destroy production assets before the developer types another word. If the attack targets the CI, the blast radius can be magnified with no further user interaction.
Proof of Concept and Vendor Response
Adversa's proof of concept is available on GitHub, and the firm has reported the issue to five major coding agents: Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub's Copilot CLI. The attack was found to work in all cases.
At the time of writing, xAI and GitHub had not responded, while Google rejected the report, saying explicit approval by the user is considered to be intended behavior. Cursor declined, saying they already knew about the issue, and Anthropic rejected the issue as out of scope. However, Anthropic later hardened Claude Code to resolve symlinks before asking for approval and showing the real destination path in the prompt.
Conclusion and Recommendations
The discovery of the SymJack attack highlights the need for users to be cautious when using AI coding agents and to consider the potential risks of automation. By persuading users to consider before acting, a SymJack attack can be stopped, and this would be simple enough for other coding agents to implement.
As the use of AI coding agents becomes more widespread, it is likely that more trust issue weaknesses like SymJack will be discovered. It is essential for vendors and users to be aware of these risks and take steps to mitigate them.
- Use caution when using AI coding agents and consider the potential risks of automation.
- Persuade users to consider before acting to stop a SymJack attack.
- Vendors should implement measures to mitigate the risks of SymJack attacks, such as resolving symlinks before asking for approval and showing the real destination path in the prompt.
Source: SecurityWeek