Several popular AI coding assistants were tricked into facilitating developer machine hacking via an attack technique that has been known for decades, according to Google-owned cloud security giant Wiz.
Dubbed GhostApproval, the attack has been successfully tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf.
GhostApproval leverages symbolic link (symlink) following, a longstanding file system behavior where a program resolves and operates on the target of a symbolic link rather than the link itself, enabling an attacker to trick privileged or sandboxed processes into accessing or modifying unintended files via deceptive paths.
The symlink vulnerability has been known since early Unix days, and Wiz researchers have now demonstrated that it’s exploitable against AI coding assistants.
In a GhostApproval attack, hackers plant a symbolic link in a seemingly benign repository that masquerades as a normal project file but actually points to a sensitive location outside the workspace.
When a developer opens the repo in an AI coding assistant and instructs it to make edits, the agent follows the symlink and performs the write on the target specified by the attacker.
Some AI coding tools fail to resolve and display the canonical path in confirmation prompts, so users approve what appears to be a harmless local change while the agent silently modifies system files.
GhostApproval could allow an attacker to achieve remote code execution on the targeted developer’s machine, Wiz warned.
“The symlink primitive alone is serious, but what we found goes deeper. Many of these tools have sandboxes or confirmation dialogs designed to prevent exactly this kind of attack. The dialog intercepts the write and asks the user for permission. In theory, this is the Human-in-the-Loop safety net,” Wiz researchers explained. “The failure is not just that the symlink is followed – it’s that the UI doesn’t reveal the true target.”
Wiz added, “The Human-in-the-Loop security model only works if the loop provides accurate information. When an agent shows one thing and does another, user approval becomes meaningless. The confirmation dialog transforms from a security control into a formality.”
The security firm reported the findings to each affected vendor in the first quarter of 2026. AWS, Google, and Cursor confirmed the vulnerability and rolled out patches. Anthropic does not view the findings as a vulnerability, but the AI company said it had added mitigations against such attacks prior to Wiz’s report.
Augment and Windsurf have confirmed receipt of the vulnerability reports but have yet to release fixes, according to Wiz.
The cybersecurity company on Wednesday published technical details for the GhostApproval vulnerability.
Related: Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories
Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection
Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws
