At a glance: AI coding agents can be manipulated via compromised symlinks to silently register malicious server code that executes with user privileges on restart, endangering secrets and CI infrastructure.
Researchers from Adversa AI have documented a new attack method that allows threat actors to inject malicious code into developer workstations and CI pipelines via compromised symlinks in AI coding agents. The technique exploits the trust mechanisms of autonomous agents and remains completely invisible to developers.
The SymJack attack method targets the interface between automated software development and AI-powered programming tools. Researchers from Adversa AI demonstrate how attackers can use compromised symbolic links (symlinks) in a coding agent’s repository to inject malicious code into the continuous integration pipeline (CI pipeline). Malicious content in repositories accounts for an estimated 20 to 40 percent of supply chain attacks.
A successful SymJack attack requires three components: control over the coding agent’s repository, a prepared malicious server based on the Model Context Protocol (MCP), and a developer actively using AI programming tools. The attack chain begins with a manipulated project instruction file in the repository. A symlink is renamed to appear harmless, and via a cp command the payload is injected directly into the AI agent’s configuration settings. Registration of the malicious MCP server occurs automatically.
From the developer’s perspective on screen, only a legitimate request to copy a documentation file appears. There are no visual indicators of the configuration directory, the registration of an MCP file, or existing executable content. The problem lies not in programming errors of the AI systems, but in their fundamental characteristic of executing assigned work instructions without deeper logical validation.
After the next restart of the AI agent or system, the compromised MCP server launches in the background. The malicious code executes in the context of the local user, completely outside any sandbox environment. Attackers can thereby steal SSH keys, cloud tokens, and browser sessions or destroy enterprise assets before the developer notices the incident.
The impact is significantly amplified if the attack targets automated build infrastructure. CI runners contain extensive secrets, API keys, and credentials by default, which can then be compromised. For the attacker, no further user interaction is required to propagate malicious code through the production pipeline.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.