SymJack Attack: Symlink RCE via Approval Prompts in Major AI Coding Agents

Critical security disclosure: SymJack attack exploits symlink hijack to achieve RCE through approval prompts in Claude Code, Gemini/Antigravity, Cursor, Copilot, Grok Build. The approval prompt shows one thing but kernel writes elsewhere. This is architectural, not per-vendor. Vendor responses mixed. Immediate action needed: use sandboxes/containers instead of per-action approval. Affects all major coding agents and reinforces need for zero-trust architecture.