News
GhostApproval Flaw Lets Malicious Repos Trick Six AI Coding Assistants

Researchers at Wiz showed how a booby-trapped repository using a symlink can trick Amazon Q Developer, Claude Code, Cursor, Augment, Windsurf and Google Antigravity into writing files outside a project's sandbox, including SSH keys.
Security research firm Wiz has disclosed a vulnerability called GhostApproval that affects six popular AI-based coding assistants. A booby-trapped repository containing a symbolic link is enough to trick the tool into writing data outside the project directory, for example into a file containing authorized SSH keys.
How the attack works
The mechanism Wiz describes is simple to build yet effective. An attacker creates a repository containing a file that looks like an ordinary configuration file, for example project_settings.json, which is actually a symbolic link pointing to a sensitive system file such as ~/.ssh/authorized_keys.
The README file contains an instruction asking the AI assistant to append a single line to this seemingly innocuous configuration file. The agent, without checking the real, canonical target path of the symlink, carries out the instruction and appends the attacker's SSH key to the victim's list of authorized keys, opening a backdoor into their machine.
Empty user consent
The second, equally serious part of the flaw lies in how consent prompts are presented. In several tools, the agent correctly resolved the symlink's target path internally, but the dialog box shown to the user displayed only the harmless name of the source file. Developers clicked to approve an edit whose real effect they never saw.
The user approves what they believe is a harmless, local change, while the agent writes data to a sensitive file outside the project's working directory - from Wiz researchers' description
This was not a single vendor's bug. It was a category-wide flaw across AI coding tools - Wiz Research
Vendor responses
Companies' reactions varied widely. Amazon classified the issue as high severity, published a security bulletin and fixed it in version 1.69.0 of the Q Developer language server. Cursor also treated the report seriously, shipping a fix in version 3.0 and publishing its own CVE. Google fixed the issue in Antigravity and took part in the CVE assignment process.
Augment and Windsurf confirmed receiving the report but had not shipped fixes by the time of publication. In Windsurf's case, the agent wrote forged SSH keys to the victim's system before the accept or reject buttons even appeared, making the dialog box more of an undo mechanism than a genuine authorization gate.
Anthropic's position
The most notable reaction came from Anthropic. The company initially rejected the report, arguing that a user who trusted the project directory and approved the edit had made that choice themselves, and that the scenario Wiz described fell outside the company's accepted threat model. Only in later versions of Claude Code, from 2.1.32 onward, did the tool start resolving symlinks before showing the prompt.
For Polish development teams using these tools, the flaw poses a concrete risk when working with untrusted external code, for example when reviewing someone else's open source repositories or running agentic tasks on unfamiliar projects. Wiz recommends resolving symlinks before displaying a consent prompt, explicitly warning when a target path falls outside the working directory, and blocking disk writes until authorization is unambiguous.
The case highlights a broader problem in the AI coding agent industry, where the pace of shipping new features is outrunning the maturity of security mechanisms. Companies investing in automating developers' work will now have to answer more often for where they draw the line of trust between a human and an agent performing file operations.
Sources: GhostApproval: A Trust Boundary Gap in AI Coding Assistants (wiz.io), GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents (thehackernews.com), GhostApproval Flaw Hits Six Major AI Coding Assistants (infosecurity-magazine.com)

