GhostApproval Flaw Lets Malicious Repos Hijack Developer Systems
Six major AI coding assistants failed to detect symbolic link attacks that trick approval dialogs into writing attacker keys to sensitive system files.

Security researchers at Wiz have disclosed a critical vulnerability pattern affecting six widely used AI coding assistants that allows attackers to gain remote access to developer machines through deceptive file operations.
The attack, dubbed GhostApproval and disclosed on July 8, exploits how these tools handle symbolic links—Unix file system shortcuts that point to other locations. When an AI assistant encounters a symlink in a malicious code repository, it writes to the link's target without verifying the actual destination, and crucially, shows developers an approval dialog that names only the innocent-looking symlink, not the sensitive system file being modified.
How the exploit works
Wiz demonstrated the attack using a weaponized repository containing a symlink named project_settings.json that actually points to ~/.ssh/authorized_keys, the file controlling SSH login access. The repository's README instructs the AI assistant to add a configuration line to the settings file. That line contains the attacker's SSH public key.
When a developer asks their AI assistant to "set up the workspace" or follow the README instructions, the tool writes the attacker's key directly into the SSH authorization file through the symlink. If the developer's machine runs an accessible SSH service, the attacker can then log in without a password.
A variant of the attack targets ~/.zshrc, the shell startup file that executes commands whenever a terminal opens, eliminating the need for SSH access entirely.
The approval theater problem
The core issue extends beyond symlinks themselves, which have been a known attack vector for decades. The real failure lies in what Wiz calls an "informed-consent bypass"—the approval dialog actively misleads developers about what's being modified.
In testing Claude Code, Wiz found the AI agent had correctly identified in its internal reasoning that project_settings.json was "actually a zsh configuration file," yet the approval box shown to the developer displayed only the harmless filename. Some tools performed even worse: Windsurf wrote files to disk before showing Accept and Reject buttons, making the prompt merely an undo option after the damage was done. Augment displayed no dialog at all.
Vendor responses vary widely
The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. As of publication, Amazon Q and Google Antigravity have shipped fixes (CVE-2026-12958 for Amazon Q, CVE pending for Antigravity). Augment and Windsurf have acknowledged the issue but not yet released patches.
Anthropic disputes that the behavior constitutes a bug, arguing the scenario falls outside their threat model since developers choose to trust folders and approve edits. The company notes that Claude Code began showing symlink warnings in early February as routine hardening, before Wiz's private disclosure.
Why it matters
This vulnerability pattern represents a fundamental design flaw in how AI coding assistants mediate between untrusted code repositories and developer systems. The discovery by two independent research teams—Wiz found GhostApproval while Adversa AI published the similar SymJack pattern in May—indicates this is an industry-wide architectural weakness, not an isolated implementation error.
The stakes extend beyond proof-of-concept attacks. In June, the Miasma worm used AI-agent configuration files planted in Microsoft Azure repositories to execute payloads the moment developers opened projects in Claude Code, Cursor, or Gemini, forcing GitHub to disable 73 Microsoft repositories. As AI assistants gain broader file system access, approval mechanisms that misrepresent their actions transform from safeguards into liabilities.
Developers can reduce risk by running AI agents with limited file access, inspecting repositories before allowing automated setup, and checking timestamps on sensitive files like ~/.zshrc and ~/.ssh/authorized_keys after working with unfamiliar code. Tool makers should resolve symlinks before requesting approval, flag any writes outside project boundaries, and never modify files before explicit user consent.
The research was first reported by The Hacker News, with technical details published by Wiz on July 8.
This is an original analysis by the Omega editorial team. Source reporting: AI Watch.
Want systems like this working for your business?
Book a Call
