‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
Researchers disclosed 'SymJack', an attack technique that exploits AI coding agents by using malicious repositories and disguised symlinks to silently install attacker-controlled MCP servers.
Security researchers have disclosed a novel attack technique dubbed 'SymJack' that weaponizes AI coding agents — tools like GitHub Copilot, Cursor, and Codeium — as unwitting delivery vehicles for supply chain attacks. By planting malicious repositories and exploiting how these agents resolve symbolic links (symlinks), attackers can trick the AI into silently installing attacker-controlled MCP (Model Context Protocol) servers. Once installed, these rogue servers can steal secrets, compromise CI/CD pipelines, and inject malicious code into the developer's environment without the user's knowledge.
The attack targets a fundamental trust assumption: that AI coding agents can safely traverse repository structures and follow symlinks. In a SymJack attack, a developer or AI agent clones a repository that appears benign but contains carefully crafted symlinks pointing to attacker-controlled external resources. When the AI agent processes the repository — for example, to answer a coding question or generate a patch — it follows the symlink and unknowingly executes code or installs an MCP server from the attacker's infrastructure. The technique is particularly insidious because the malicious activity happens in the background, with no visible indication to the user.
MCP servers are a core component of modern AI coding assistants, responsible for providing context, fetching documentation, and executing tool calls. By compromising this channel, attackers gain a persistent foothold inside the developer's environment. From there, they can exfiltrate API keys, cloud credentials, and source code; tamper with build outputs; or inject backdoors into the software being developed. The researchers demonstrated that SymJack can be used to silently modify CI/CD pipeline configurations, effectively turning the AI agent into a supply chain attack vector that propagates malicious code downstream to end users.
The attack is especially dangerous because it bypasses traditional security controls. Code review tools and antivirus software typically scan the contents of files, not the symlink resolution behavior of AI agents. Moreover, the malicious repository can be hosted on legitimate platforms like GitHub, making it difficult for developers to distinguish between a helpful open-source project and a trap. The researchers noted that the technique works against multiple AI coding agents, suggesting a systemic vulnerability in how these tools handle file system operations.
In response to the disclosure, major AI coding assistant vendors have been notified and are working on mitigations. Recommended defenses include restricting symlink resolution in AI agents, validating the origin of MCP server connections, and implementing sandboxing for agent-executed code. Developers are advised to carefully review repositories before allowing AI agents to process them, and to monitor for unexpected MCP server connections or outbound network traffic from their development environments.
The SymJack attack highlights a growing class of threats that target the AI supply chain — the ecosystem of models, plugins, and agents that developers increasingly rely on. As AI coding assistants become more autonomous and deeply integrated into software development workflows, they also expand the attack surface. This research serves as a reminder that the same features that make AI agents powerful — their ability to navigate complex codebases and execute actions on behalf of users — can be subverted to cause harm. The security community will need to develop new trust models and runtime protections to keep pace with these evolving threats.