Skip to main content
CybersecurityHacking

AI Coding Assistants Exposed to Symlink Flaw

Developer workstation with laptop, terminal, and papers, in a research area with a blurred background.

"actually a zsh configuration file," Wiz found when testing Claude Code — a small sentence that underscored a large blind spot in six popular AI coding assistants. Researchers at Wiz disclosed the flaw, which they call GhostApproval, on July 8 and demonstrated how a repository with a deceptively named file can convince an agent to write attacker-controlled data into sensitive files outside the project.

The GhostApproval technique: symlinks plus deceptive prompts

GhostApproval abuses symbolic links (symlinks), an old Unix feature that points one filename at another. Wiz built a malicious repository whose project_settings.json was a symlink to the developer's SSH login file, ~/.ssh/authorized_keys. The repo's README instructed the assistant to add "a line" to project_settings.json; the assistant dutifully wrote the attacker's SSH key through the symlink into the authorized_keys file. A second variant writes into a shell startup file, ~/.zshrc, so the shell executes attacker code the next time a terminal opens. Wiz presented the technique as research and said there is no sign it has been used in real attacks.

Affected tools and vendor responses

The assistants Wiz tested are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz reported the issue to all six vendors. Of the six, three had shipped fixes by publication, two were still working on fixes, and Anthropic disputed the classification of the behavior as a bug — saying the scenario "sits outside our threat model" because the developer chose to trust the folder and approved the edit. Anthropic also told Wiz that Claude Code's symlink warning shipped in early February as routine hardening, and that an earlier "no comment" was an automated reply.

Why the approval prompt fails

Wiz calls the core failure an "informed-consent bypass": the human is still presented with a prompt, but the prompt names the innocent-looking file rather than the sensitive target the write will actually reach. In testing, the agent itself had already inferred the real destination — the quote above shows it noted the file was a zsh configuration file — yet the approval box showed only the harmless project_settings.json. Some tools are worse: Windsurf writes the file to disk before Accept and Reject buttons appear, making the prompt effectively an undo. Augment showed no dialog at all in Wiz's demonstration and was able to read an AWS credential file outside the project.

Related research, CVEs, and live indicators

This is not an isolated finding. In May, Adversa AI published SymJack, the same symlink-and-approval pattern against six coding agents including Claude Code, Cursor, GitHub Copilot, and Grok Build. Cursor's advisory for its symlink bug credits both Wiz and Cato AI Labs, whose earlier work The Hacker News covered as DuneSlide. AWS's bulletin also covers a separate Amazon Q flaw, CVE-2026-12957, where a poisoned repo could auto-load a config file and run commands to steal AWS keys once the workspace was trusted. The broader pattern has appeared in the wild: as The Hacker News reported in June, the Miasma worm planted AI-agent config files in a Microsoft Azure repository so its payload ran the moment a developer opened the project in Claude Code, Cursor, or Gemini; GitHub disabled the 73 affected Microsoft repositories in response.

What this means for developers, tool makers, and enterprises

  • Developers and security teams: Wiz recommends running agents with limited file access or inside a sandbox or container, reviewing a repo's README and hidden config files before asking an agent to "set it up," and checking files that sit outside the project after using an unfamiliar repo — for example, with ls -la ~/.zshrc ~/.ssh/authorized_keys to see whether timestamps changed while the agent was running.
  • Tool makers and vendors: Wiz's short prescription is to resolve symlinks and show the real destination before asking for approval, flag any write that lands outside the project folder, and never touch the disk until the user has actually approved. The vendor responses so far — three fixes shipped, two pending, and one vendor disputing the classification — underline the design choice at the heart of the debate: how far should an agent go to protect a developer who has already trusted a malicious repository?
  • Enterprises and procurement leaders: the overlap of independent research (Wiz, Adversa AI, Cato AI Labs) points to a shared design weakness rather than a single vendor mistake. Procurement and security review should track which vendors have shipped fixes and whether products surface real target paths in approval dialogs.

"Human in the loop" only protects you if the loop tells the truth, Wiz cautions. As assistants are granted more autonomy to read and write files, an approval box that names the wrong destination becomes a liability — and the question of whose responsibility it is to detect and block deceptive repos remains squarely unresolved.

Original reporting — The Hacker News