Skip to content

Symlink Vulnerabilities in AI Code Assistants Enable Silent Code Execution

In brief: Six popular AI code assistants (Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, Windsurf) can execute code undetected on developer systems through symlink exploits in attack scenarios known as GhostApproval.

Researchers from Wiz have demonstrated symlink vulnerabilities in six popular AI code assistants that allow attackers to execute code in an ostensibly harmless project — the system prompts for permission to make a seemingly benign change, but actually writes to sensitive files.

Wiz researchers identified a systematic vulnerability in the handling of file-write operations across six widely-used AI code assistants. The attack model exploits symlink mechanisms (symbolic links): the agent receives a manipulated code repository with prepared symlinks and is instructed to edit seemingly harmless files. The system presents a permission prompt for this benign operation, while the actual write operation is redirected through the symlink — the target being a sensitive or security-critical file on the developer’s system.

Affected are Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. These tools are increasingly integrated into development workflows and thereby receive write and execution privileges on engineers’ machines. A successful symlink attack could inject malware into configuration files, build scripts, or system dependencies, thereby persistently compromising the developer’s machine.

For CISOs, the vulnerability is critical: it addresses the growing supply-chain attack surface created by automated development tools. A developer who clones an infected repository and uses an AI assistant becomes an unwitting vehicle for system intrusion. The vulnerability demonstrates that typical permission models — presenting suspicious changes for approval before implementation — fail when symlink redirection is in play. Organizations should impose restrictive file-write permissions on AI coding tools and scan repositories for suspicious symlinks before use.


Source: thehackernews.com · Published 9 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: