Researchers at Adversa AI have discovered "SymJack," a new attack method that exploits AI coding agents to inject malicious code into software development pipelines by hijacking symlinks in project files. The attack works by disguising a malicious symlink as an innocuous file that, when approved by an unsuspecting developer, secretly registers a malicious server that can steal credentials and access tokens. Testing across five major AI coding agents—including Claude Code, GitHub Copilot, and Cursor—found all were vulnerable, though most vendors rejected the report, with only Anthropic later quietly adding protections to display real symlink destinations before requiring approval.