GhostApproval bug breaks 6 top AI coding agents

Security firm Wiz found one old Unix trick that breaks six popular AI coding assistants, from Amazon Q to Cursor. A booby-trapped repository can walk an agent past its own safety prompt. The payoff is a planted key that hands an attacker the developer's machine.

An ancient bug just tripped up the newest tools. Researchers at Wiz found a flaw they call GhostApproval in six widely used AI coding agents, The Register reports. It lets a rigged repository push an agent to write files far outside its workspace. From there, it can seize the developer's machine.

The six are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity and Windsurf. The trick dates back decades. It abuses symbolic links, or symlinks, an old shortcut file that quietly points somewhere else.

How the trap springs

The attacker builds a poisoned repository. Inside sits a symlink dressed up as an innocent config file, say project_settings.json. It really points at the user's SSH keys. A README then tells the agent to add a line to that “config” during setup.

A developer clones the repo and asks the agent to “set up the workspace.” The agent follows the README and writes an attacker-controlled SSH key into the real keys file. That hands the attacker quiet, password-free access to the machine. It mirrors an earlier booby-trapped-repo flaw in Amazon Q.

The rubber-stamp problem

Most of these tools show a confirmation box before risky actions. Wiz found the box lied by omission. The agents spotted that the symlink pointed somewhere dangerous. Yet the prompt hid the real target, showing only the harmless file name.

Claude Code handled it worst. Its own reasoning noted the file was really a shell config. Then it asked the user, “Make this edit to project_settings.json?” Wiz called that consent “substantively empty.” It logs the hidden prompt as a second, separate flaw: a UI that misrepresents what you approve. It is the same weak spot that lets attackers hijack coding agents and trick them into leaking private code.

Who fixed it, who shrugged

Amazon, Cursor and Google treated it as a real bug. Amazon issued a CVE and patched Q Developer. Cursor did the same in version 3.0. Google fixed Antigravity in May. Augment and Windsurf called it critical but had not shipped a patch at press time.

Anthropic pushed back, calling the scenario “outside our threat model” because the user had trusted the directory. Its triage system closed the ticket as “informative.” Anthropic later told Wiz its fix predates the report. Claude Code's symlink warning shipped on 5 February, nine days before Wiz filed, as proactive hardening.

Why it matters

Enterprises hand these agents deep access to their code and cloud. When the safety prompt hides the danger, human-in-the-loop becomes a rubber stamp. Vendors and researchers now split on the fix: protect users from deceptive repos, or treat that as the developer's job. Either way, one lesson holds. New AI plumbing still trips over the oldest bugs.

Also tagged with