SymJack Attack Weaponizes AI Coding Agents as Supply Chain Delivery Systems

Researchers have documented a technique called SymJack that exploits AI coding agents by using malicious repositories containing disguised symlinks to trick agents into silently installing attacker-controlled MCP (Model Context Protocol) servers.

Once installed, a malicious MCP server can steal secrets, tamper with CI pipelines, and execute arbitrary code — all without direct user interaction. Developers using AI coding assistants should audit installed MCP servers regularly, restrict agent permissions to read-only where possible, and avoid cloning untrusted repositories through AI-assisted workflows.