A Disguised File Copy Turned Five AI Coding Agents Into Supply Chain Weapons

A copy command was all it took to hijack the AI writing your code

A security firm placed one booby-trapped file in a code repository, asked an AI coding agent to copy it into a documentation folder, and waited for the developer to click approve. The file was not really a file. It was a disguised symlink, a pointer that secretly redirects to another location, and the copy it triggered never reached the documentation folder. It overwrote the agent's own settings and planted code that ran the next time the tool started.

On May 26, 2026, the AI red-teaming firm Adversa AI disclosed this attack, which it calls SymJack, and demonstrated it working against five of the most widely used AI coding assistants. The takeaway is not that one product is broken. It is that the approval prompt every developer now clicks through dozens of times a day can be made to lie about what it is actually doing.

What happened

Adversa AI published the research on May 26, 2026, and SecurityWeek reported it the following day. The firm tested SymJack against five major command-line coding agents: Anthropic's Claude Code, Google's Gemini CLI and its Antigravity CLI, Cursor's Agent CLI, xAI's Grok Build CLI, and GitHub's Copilot CLI. It worked in every one.

The attack chains three ingredients. The attacker controls a code repository and the project instruction file inside it, the configuration an agent reads and trusts. The attacker prepares a malicious MCP server (Model Context Protocol, the standard connector that lets an AI agent call outside tools and services). And a developer points an AI coding agent at that repository. The attacker renames a malicious symlink so it looks like an ordinary document, then has the agent run a routine cp, the Unix copy command, to move that document into a docs folder. Because the symlink redirects, the copy actually rewrites the agent's own configuration and registers the attacker's server. On the next restart, that server launches and runs whatever the attacker chose, as the developer, with no sandbox around it. That is remote code execution (RCE), the ability to run arbitrary commands on someone else's machine.

• The developer's approval box shows only a request to copy one file into a folder. It never mentions the configuration directory, the planted server, or that anything executable is involved.
• Once running, Adversa showed the code can steal SSH keys, cloud tokens, and active browser sessions, or destroy production assets, all with the developer's own privileges.
• Pointed at a continuous integration pipeline (CI, the automated system that builds and tests code), a single malicious pull request can drain every secret the build server holds before any human reviews the change.

Why this should worry your engineering team

The concrete damage in Adversa's proof of concept is the full compromise of a developer's machine and, through CI, the credentials to everything that machine builds. Malicious repositories already factor into an estimated 20 to 40 percent of software supply chain attacks, so the delivery route is well travelled. The uncomfortable part for your organization is who gets caught: not a careless newcomer, but your most productive engineers, the ones leaning hardest on AI agents to ship faster and approving requests that look mundane precisely because speed is the whole point of the tool. The deeper shift is one Adversa states plainly. This is not a flaw in any agent. Each one did exactly what it was told. The weakness is the trust a developer places in an approval prompt that cannot show what the operating system will really do, and as automation spreads through development, more weaknesses of this shape are coming.

What to do about it

1. Treat every coding-agent approval as a decision, not a reflex. Pause on any request that copies, moves, or writes files, because SymJack survives entirely on a click granted out of habit, and one refused copy command stops it.
2. Give AI coding agents the least access you can. Keep SSH keys, cloud credentials, and production tokens out of the environment where the agent runs, so a server that does get planted finds nothing worth stealing.
3. Lock down CI secrets and gate untrusted contributions. Scope each build secret narrowly and require human review before a pull request reaches the pipeline, because one malicious request can exfiltrate every secret a runner holds with no person in the loop.

Bottom line

SymJack did not break any AI coding agent. It broke the assumption that the approval prompt tells the truth. A request that read "copy this file" wrote an attacker's code into the tool's own configuration, and the only thing standing between a developer and a hijacked machine was the habit of clicking yes. Anthropic has since changed Claude Code to resolve the link and show the real destination before it asks, while most of the other vendors called the behavior intended. Take one question into your next engineering review. When your developers approve an AI agent's action, do they actually know what the machine is about to do, or are they trusting the box to be honest?