GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz calls the pattern GhostApproval and published it on July 8. Three of the six have shipped fixes, two have not, and Anthropic disputes that it is a bug. The most exposed are the tools that change files before you can weigh in. How the attack works The attack abuses an old Unix feature called a symbolic link , or symlink , that the assistants fail to check. A symlink quietly points to another file elsewhere on disk, so writing to it actually writes to the target. Wiz built a malicious repository with a symlink named project_settings.json that really points to the victim's ...
î Jul 09, 2026