Coding agent security flaw: Symlink RCE attack in Copilot CLI (PoC)
Copilot CLI (and every other coding agent we tested) falls for a disguised file copy, leading to full remote code execution. This end-to-end proof of concept demonstrates a critical coding agent security gap affecting major AI developer tools.
Read the full technical research and learn how to protect your pipelines:
https://adversa.ai/blog/the-approval-promp...
What is happening in this video?
In this PoC, we show how an attacker-controlled repository can trick Copilot into overwriting its own configuration files. By disguising a malicious JSON configuration as a harmless video file (.mp4), and routing it through a native shell copy command, the agent bypasses internal security guardrails.
When the user approves what looks like a benign file copy, the OS resolves a hidden symlink, writing the attacker's payload directly into the agent's MCP settings. On the next restart, the agent executes the attacker's code with full user privileges.
#copilot #aisecurity