{"data":{"id":"52602df3-0c5d-45c3-bfbb-73eddaec11fa","title":"‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems","summary":"SymJack is an attack that exploits AI coding agents by tricking them into inserting malicious code into software projects through disguised symlinks (shortcuts that point to files). The attacker controls a code repository and hides malicious instructions in an innocent-looking file request, which the AI agent approves and executes without the developer realizing what's happening, potentially stealing credentials or compromising production systems.","solution":"Anthropic hardened Claude Code to resolve symlinks (determine where shortcuts actually point) before asking for approval and display the real destination path in the prompt to the user. The source notes that persuading users to consider before acting on automation requests could help stop SymJack attacks and would be simple for other coding agents to implement.","labels":["security"],"sourceUrl":"https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/","publishedAt":"2026-05-27T10:15:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain","prompt_injection"],"issueType":"news","affectedPackages":null,"affectedVendors":["Anthropic","Google","Microsoft","OpenAI"],"affectedVendorsRaw":["Anthropic Claude Code","Google Gemini CLI","Cursor Agent CLI","xAI Grok Build CLI","GitHub Copilot CLI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-27T10:15:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}