SymJack: How a Renamed Symlink Turns Your AI Coding Agent Into a Supply Chain Weapon

SymJack, disclosed this week by Adversa AI, does not exploit a memory bug or a parser flaw. It exploits the single thing coding agents are designed to do: follow instructions with one keystroke of approval.

The mechanism

The attacker plants a normal-looking repository on GitHub. Hidden inside is a symbolic link with an innocuous name that secretly points to the agent's own configuration directory.

When the developer opens the project, the project's instruction file (CLAUDE.md, .cursorrules, AGENTS.md) tells the agent to perform a routine copy. The developer sees:

cp ./docs/contributing.md ./project-docs/

Looks fine. Approve. Done.

What actually happened: the symlink resolved to ~/.claude/settings.json, and the agent just registered a malicious MCP server. Next restart, that server runs under the user's identity, with access to SSH keys, cloud tokens, browser sessions, and anything the developer can touch.

The three ingredients

1. A repository the developer trusts enough to clone. Industry estimates put malicious repos at 20-40% of supply chain incidents, and the AI era has expanded the surface through hallucinated package names and SEO-poisoned tutorials.
2. A ready-made malicious MCP server. Just a small executable the agent will dutifully invoke.
3. A developer using an agent. No longer the unusual case - agent adoption is above 60% among professional developers.

Why the approval prompt is not saving you

The whole agent ecosystem leans on "human in the loop" as a meaningful safeguard. SymJack puts that under a microscope and finds it wanting.

When the agent shows you a command, it shows the command as written, not what the filesystem will actually do once symlinks resolve. By the time you understand what was copied where, the malicious MCP entry is already on disk.

Anthropic, after initially treating the report as outside its threat model, quietly shipped a hardening update: Claude Code now resolves symlinks before showing the prompt. Other vendors have moved at different speeds. The pattern - project-controlled configuration affecting what gets executed, surfaced through dialogs that do not faithfully describe consent - extends beyond symlinks.

The CI blast radius

This is the version that should keep engineering leaders up at night.

In CI, there is no developer at a keyboard to approve anything. The agent reads the project, follows the instruction file, executes the commands. If the project is hostile, the blast radius is whatever the CI runner can reach: production secrets, deployment keys, container registries, the ability to ship trusted code downstream.

A single malicious pull request, merged or even just opened on a self-hosted runner with the wrong configuration, can exfiltrate every credential in the environment before any human reviews the change.

What to do this week

• Pin your agent to a version that resolves symlinks before approval. Check release notes when you upgrade.
• Inspect .mcp.json and .claude/settings.json before running an agent on any repository you did not write yourself. Look at command, args, and permissions.allow.
• Tighten CI: short-lived credentials, isolated runners, write paths that cannot reach production secrets without an additional human gate.
• Stop reflex-approving. Every prompt is a moment of consent. If you click faster than you would read a sentence, the protection does not exist.

The bigger picture

SymJack will be remembered less for the symlink trick and more for the lesson it crystallizes. Coding agents execute literally whatever the project tells them. The interface between literal execution and human judgment is the approval prompt, and that prompt only works if it tells the truth.

The research is public. The fix on Claude Code shows that the defense is straightforward when vendors take it seriously. The question is whether the rest of the ecosystem moves before the technique stops being a research disclosure and starts being an incident report, with your organization's name in the headline.

At skillsec.io we build the open scanner for AI agent skills. If you maintain skills or MCP configs, run one through our scanner before you ship.