Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

AI coding hack

Several popular AI coding assistants were tricked into facilitating developer machine hacking via an attack technique that has been known for decades, according to Google-owned cloud security giant Wiz.

Dubbed GhostApproval, the attack has been successfully tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf. 

GhostApproval leverages symbolic link (symlink) following, a longstanding file system behavior where a program resolves and operates on the target of a symbolic link rather than the link itself, enabling an attacker to trick privileged or sandboxed processes into accessing or modifying unintended files via deceptive paths.

The symlink vulnerability has been known since early Unix days, and Wiz researchers have now demonstrated that it’s exploitable against AI coding assistants.

In a GhostApproval attack, hackers plant a symbolic link in a seemingly benign repository that masquerades as a normal project file but actually points to a sensitive location outside the workspace.

When a developer opens the repo in an AI coding assistant and instructs it to make edits, the agent follows the symlink and performs the write on the target specified by the attacker.

Advertisement. Scroll to continue reading.

Some AI coding tools fail to resolve and display the canonical path in confirmation prompts, so users approve what appears to be a harmless local change while the agent silently modifies system files.

GhostApproval could allow an attacker to achieve remote code execution on the targeted developer’s machine, Wiz warned.

“The symlink primitive alone is serious, but what we found goes deeper. Many of these tools have sandboxes or confirmation dialogs designed to prevent exactly this kind of attack. The dialog intercepts the write and asks the user for permission. In theory, this is the Human-in-the-Loop safety net,” Wiz researchers explained. “The failure is not just that the symlink is followed – it’s that the UI doesn’t reveal the true target.”

Wiz added, “The Human-in-the-Loop security model only works if the loop provides accurate information. When an agent shows one thing and does another, user approval becomes meaningless. The confirmation dialog transforms from a security control into a formality.” 

The security firm reported the findings to each affected vendor in the first quarter of 2026. AWS, Google, and Cursor confirmed the vulnerability and rolled out patches. Anthropic does not view the findings as a vulnerability, but the AI company said it had added mitigations against such attacks prior to Wiz’s report. 

Augment and Windsurf have confirmed receipt of the vulnerability reports but have yet to release fixes, according to Wiz.

The cybersecurity company on Wednesday published technical details for the GhostApproval vulnerability.

Related: Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories

Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.