GhostApproval flaw exposes AI coding agents to ancient Unix trick that grants attackers SSH access

4 Sources

Share

Security researchers at Wiz discovered GhostApproval, a critical security vulnerability affecting six widely deployed AI coding assistants. The flaw exploits symbolic link vulnerabilities to trick agents into writing files outside their sandboxed workspace, potentially granting attackers remote code execution on developers' machines through compromised SSH keys.

Six AI coding agents caught in decades-old security trap

Security firm Wiz has uncovered a systematic vulnerability pattern dubbed GhostApproval that affects six of the most widely used AI coding assistants, demonstrating how AI coding agents can be tricked into running malicious code despite built-in safety measures

1

. The affected tools—Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf—all fall prey to an ancient Unix-era exploit involving symbolic link vulnerabilities, or symlinks, which serve as shortcuts pointing to files elsewhere on a system

3

.

Source: Hacker News

Source: Hacker News

The security vulnerability enables attackers to bypass security boundaries and achieve remote code execution on developer machines by creating malicious repositories that disguise symlinks as harmless configuration files

4

. When developers clone these repositories and instruct their AI coding assistants to set up the workspace, the agents unknowingly write attacker-controlled data to sensitive system files outside the sandboxed workspace.

How the attack exploits user approval prompts

The GhostApproval attack works by exploiting a critical flaw in how AI coding assistants handle user approval prompts. Attackers create a repository containing a symlink disguised as an innocent file like project_settings.json, which actually points to sensitive targets such as ~/.ssh/authorized_keys or shell startup files . The repository's README instructs the agent to update this "configuration file" with what appears to be a harmless setting but is actually the attacker's SSH public key.

What makes this security vulnerability particularly dangerous is that the AI coding agents recognize the symlink points to a dangerous target in their internal reasoning, yet the confirmation dialog shown to users hides this critical information. "The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace," explained Wiz threat researcher Maor Dokhanian

1

. Testing revealed that Anthropic Claude Code's internal reasoning stated it could see the file was "actually a zsh configuration file," yet asked users only whether to "make this edit to project_settings.json"

4

.

Some tools perform even worse: Windsurf writes files to disk before the Accept and Reject buttons appear, making the prompt merely an undo option, while Augment shows no dialog at all and silently accesses files outside the project

4

.

Vendor responses split on threat model responsibility

Amazon, Cursor, and Google classified the flaw as critical or high-severity and shipped fixes, with AWS and Cursor already issuing CVE trackers while Google is in the process of obtaining one

1

. Amazon patched Q Developer, Cursor fixed the issue in version 3.0, and Google addressed Antigravity in May

3

. Augment and Windsurf acknowledged the vulnerability report but have not yet patched the issue or warned users

1

.

Anthropic's response has sparked debate about where responsibility lies in the threat model. The company called the scenario "outside our threat model," arguing that users who trust a directory and approve file operations bear responsibility for the consequences

1

. Anthropic closed the ticket as "informative" and stated that its symlink warning shipped in early February, before Wiz's report, as proactive hardening rather than a response to the disclosure

4

.

Broader implications for enterprise AI deployment

Source: The Register

Source: The Register

The discovery carries significant weight for enterprises rushing to deploy AI coding assistants with deep access to codebases and cloud environments. "AI coding tools are routinely granted deep access to enterprise codebases and cloud environments," Dokhanian told The Register. "In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles—like resolving symlinks before acting on paths—cannot be overlooked as we embrace new AI architectures"

1

.

A separate proof-of-concept published by the AI Now Institute demonstrates related vulnerabilities, showing how AI coding agents built to scan open-source code for security holes can be tricked into running malicious code instead

2

. This "Friendly Fire" attack works against Anthropic Claude Code and OpenAI Codex when running in autonomous modes, hijacking the exact security-checking job these tools are marketed to perform.

Source: Hacker News

Source: Hacker News

While there is no indication that GhostApproval is being actively exploited in the wild, the flaw represents a serious threat as organizations accelerate AI agent adoption

1

. The fact that two independent research teams discovered similar symbolic link exploitation patterns points to a shared design weakness rather than isolated vendor mistakes

4

. Wiz recommends that developers run agents with limited file access, inspect repositories before allowing automated setup, and verify that sensitive files like SSH keys and shell startup files remain unchanged after agent operations.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved