SymJack: a booby-trapped repo silently overwrites your AI coding agent's MCP config — six agents broken at once

Adversa AI's Alex Polyakov disclosed SymJack on May 27 — a class of attack that exploits AI coding agents' trust in file-copy operations to hijack their configuration and execute arbitrary code. Confirmed against six agents: Claude Code, Gemini CLI/Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build CLI, and OpenAI Codex CLI. The vulnerability is architectural, not a single-product bug.

How it works. The attacker publishes a repository containing a symlink renamed to appear as an ordinary file — a video file, a documentation asset, any innocuous name. The agent is instructed (via a CLAUDE.md, a README task, or a prompt injection) to copy this file to the project docs folder. But the destination is itself a symlink pointing to the agent's own MCP configuration directory. The cp command writes the attacker's payload — a malicious MCP server config — directly into .claude/settings.json or its equivalent for each agent. On the next restart, the malicious MCP server spawns with full user privileges, unsandboxed. From there: SSH key and cloud token theft, CI pipeline compromise, browser session exfiltration, production asset access — everything the developer can touch.

Why the approval prompt doesn't save you. The agent displays the symlink's alias name, not its resolved destination. The developer approves what looks like a benign copy to a documentation folder. The real write destination is invisible until after the command runs.

Why this is a supply-chain risk. The attack vector is any repository you clone. A malicious package, an open-source contribution workflow, a vendor codebase you're reviewing — each is a potential delivery mechanism. Once the config is compromised, the malicious MCP server persists across sessions, clean-looking restarts, and even after the repository is deleted from disk.

Patch status is uneven. Anthropic hardened Claude Code (now resolves symlinks before displaying the approval prompt, showing the real destination path). Cursor declined to patch, claiming prior awareness. Google declined, calling it intended behavior. xAI and GitHub had not responded at SecurityWeek's publication date.

Mitigations. Never run a coding agent against an untrusted repository without sandboxing or a container. After any agent session on a cloned third-party repo, inspect .claude/settings.json, .cursor/rules/, .gemini/settings.json, .github/setup.js, and .vscode/tasks.json for unexpected entries before your next session start.

Sources: SecurityWeek: SymJack attack, Adversa AI: The approval prompt is lying to you, adyog: TrustFall, SymJack, Clinejection roundup, Microsoft Security Blog: RCE in AI agent frameworks