SymJack is a single attack pattern that achieves remote code execution (RCE) across six major AI coding agents—Claude Code, Cursor Agent CLI, GitHub Copilot CLI, Gemini CLI (Antigravity CLI), Grok Build, and OpenAI Codex CLI—by abusing how these tools present file write approvals.
What SymJack Is
Adversa AI disclosed SymJack in May 2026. It is not a product-specific bug but an architectural flaw in any AI coding agent that:
- Performs file operations in a working directory, and
- Shows human approval dialogs for sensitive writes, but
- Fails to resolve symlinks before displaying the target path.
The result: the user approves a write to a seemingly harmless path, while the kernel actually writes to a different, attacker-controlled destination.
How the Attack Works
AI coding agents in agentic mode read, write, and modify files, typically guarded by a human-in-the-loop approval dialog for risky operations. SymJack breaks this control through symlink indirection:
- A malicious repository ships key configuration files as empty placeholders.
- Those placeholder paths (e.g.,
.agent/config) are actually symlinks pointing somewhere else, such as:- The agent’s own startup configuration, or
- A shell initialization file (e.g.,
.bashrc,.zshrc).
- When the agent decides to write or update the config, it triggers an approval dialog.
- The dialog shows the apparent path (e.g.,
.agent/config) without resolving the symlink. - The user approves the write, believing it targets a benign file.
- The OS follows the symlink and writes the payload into the real destination.
On the next agent or shell startup, the injected payload executes with the user’s privileges. No further exploit chain is required.
Zero-Click Risk in CI
In continuous integration (CI) environments, many AI coding agents are configured to:
- Auto-approve actions, or
- Run in fully non-interactive mode.
In these setups, SymJack becomes a zero-click attack:
- A single malicious pull request to an open-source repository can trigger the agent.
- The agent processes the repo, hits the symlinked config, and writes the payload automatically.
- The CI runner then executes attacker-controlled code with access to all secrets available in that job.
This is not hypothetical. AI coding agents are already being wired into CI for automated code review and PR processing. Parallel research, including Snyk's Clinejection work against the Cline VS Code extension and GitHub Actions workflows, confirms this attack surface is actively being explored.
What needs to change
The fix is straightforward to describe and requires each vendor to implement: approval dialogs must resolve symlinks before displaying the write target. The dialog should show the real filesystem path that will be written, not the apparent path. Until that is implemented, the human approval step does not function as designed when the working directory contains symlinks.
Microsoft's MSRC published companion research in May on RCE vulnerabilities in AI agent frameworks, which addresses the threat model at the framework level. The SymJack disclosure is the most concrete exploitation example of that threat model to date.
What security teams can do now
Until vendors patch, treat AI coding agents as having reduced trust for write operations in repositories containing external or untrusted code.
- Do not run AI coding agents in auto-approve mode against untrusted input.
- Review CI pipelines that use AI coding agents and process pull requests from external contributors. If they do, the risk is immediate.
- Minimize secrets on CI runners and use short-lived credentials where possible.
Ask your AI coding tool vendors directly when they plan to ship symlink resolution in approval dialogs. This is a concrete, specific fix with a clear before-and-after behavior.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are building AI coding agent policies for your engineering organization.