In a nutshell: Six widely used AI coding assistants can be tricked via malicious repositories containing hidden symlinks to manipulate files outside their sandbox, with confirmation dialogs masking the actual action.
Security research firm Wiz has documented a systematic vulnerability category called GhostApproval that allows attackers to deceive AI code assistants and move them to access files outside their sandbox. Six widely used tools are affected: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf (now Devin Desktop).
The vulnerability exploits symbolic links (symlinks) – special files that function like shortcuts to other files or directories. Attackers can prepare a malicious repository so that the AI agent accesses files outside the workspace and potentially achieves remote code execution on the developer’s machine. The principle of symlink exploitation has been known for decades, but GhostApproval combines it with an additional critical component: UI obfuscation (CWE-451).
Wiz describes the attack flow: The agent’s internal reasoner does recognize the dangerous target file internally, but the confirmation dialogs shown to the user completely omit this information. The developer approves what they believe is a harmless local edit – the agent then writes to sensitive files outside the project. Among the affected vendors, AWS responded with rapid remediation, Cursor and Google also fixed the issue promptly. Anthropic had already addressed the issue before Wiz’s contact. Augment and Windsurf/Devin confirmed receipt of the report but subsequently provided no further information.
Katie Norton, Senior Research Manager for DevSecOps at IDC, emphasizes that GhostApproval reveals a more fundamental trust problem: security checks that users rely on for protection effectively provide none. The risk concentrates on workflows in which developers work with external contributions, forks, or open-source dependencies – not internally created code. However, since March 2025, comparable vulnerabilities have accumulated in nearly all leading AI coding assistants, typically following the pattern: patch published, a few months later bypass discovered.
According to Norton, GhostApproval illustrates that agent-based coding tools need multi-layered defense mechanisms because the risk does not lie solely in code output. The tools themselves are part of the software supply chain and can be attacked directly. The vulnerability is not a deficit in code quality or unsafe output generation, but a design problem: it lies in file handling and the presentation of agent actions to the user.
Source: www.csoonline.com · Published July 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.