Researchers at Wiz have disclosed a novel attack technique called GhostApproval that exploits symbolic link (symlink) following to manipulate AI coding assistants into accessing or modifying files outside a designated workspace, potentially resulting in remote code execution on a developer’s machine.
How the Attack Works
The technique is rooted in a file system behavior that has existed since early Unix systems. An attacker plants a symlink inside a seemingly legitimate code repository, disguising it as a normal project file. When a developer clones the repository and instructs an AI coding assistant to make edits, the agent resolves the symlink and performs write operations against the attacker-specified target outside the workspace rather than the apparent local file.
The more significant finding from Wiz concerns how these tools handle user confirmation prompts. Many AI coding assistants present a confirmation dialog before writing to a file, intended as a human-in-the-loop safety check. However, several tools fail to display the canonical, resolved path in that dialog. The user sees what appears to be a benign local file path, approves the operation, and the agent silently modifies a sensitive system file instead.
As Wiz researchers noted, when an agent shows one path and operates on another, user approval becomes meaningless. The confirmation dialog shifts from a security control into a formality.
Affected Tools and Vendor Responses
Wiz confirmed successful testing of GhostApproval against the following AI coding assistants:
- Claude Code (Anthropic)
- Amazon Q Developer (AWS)
- Cursor
- Google Antigravity
- Augment
- Windsurf
Wiz reported its findings to all affected vendors in the first quarter of 2026. Responses have varied:
- AWS, Google, and Cursor confirmed the vulnerability and issued patches.
- Anthropic does not classify the behavior as a vulnerability but stated that mitigations were already in place before Wiz’s report.
- Augment and Windsurf acknowledged the reports but have not yet released fixes as of the time of disclosure.
Implications for Developer Security
GhostApproval highlights a structural risk in agentic AI tooling: the human-in-the-loop model is only effective when the information presented to the user accurately reflects what the agent will do. Where AI coding assistants act on repository-supplied file paths without fully resolving and displaying symlink targets, attackers can weaponize malicious repositories to compromise developer workstations through normal, expected workflows.
Security teams supporting development environments should audit which AI coding tools are in use, verify that patches have been applied where available, and treat untrusted repositories as a potential delivery vector for this class of attack.
