'SymJack' Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems

'SymJack' Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems

Briefly

"The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer's use of an AI coding tool. Adversa has named the attack SymJack, because it hijacks a symlink within the code development process, renames it to something that looks innocuous but redirects to the malicious MCP, and builds the attacker's instruction into the finished code."

"The attack chain starts with an attacker's control of the coding agent's repo, and the project instruction file it contains. That file is made malicious but is used and trusted by the coding agent. In SymJack, a malicious symlink is renamed to appear innocuous. A cp command can be used to automatically insert the attacker's payload hidden within the disguised symlink, into the agent's own configuration settings. This payload registers the malicious MCP server, where the startup command runs whatever the attacker wishes."

""The developer sees one request: copy this [innocuous looking] file to that documentation folder. They approve it. Nothing on screen mentions the config directory, the MCP file, or executable content. On the next restart, the planted server spawns, and the attacker's code runs as the user, unsandboxed. In a real attack it can steal SSH keys, cloud tokens, and browser sessions, or even destroy production assets before the developer types another word.""