Back to Feed
VulnerabilitiesJul 9, 2026

AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique

AI coding tools tricked into hacking developer machines via GhostApproval attack.

Summary

Wiz has discovered a new attack method called GhostApproval that exploits a decades-old symbolic link (symlink) following technique to trick AI coding assistants into modifying sensitive system files. The attack has been demonstrated against several popular AI coding tools, potentially allowing attackers to achieve remote code execution on developer machines. The core issue lies in the AI tools' failure to accurately display the target of operations in confirmation prompts, rendering user approval meaningless.

Full text

Several popular AI coding assistants were tricked into facilitating developer machine hacking via an attack technique that has been known for decades, according to Google-owned cloud security giant Wiz. Dubbed GhostApproval, the attack has been successfully tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf. GhostApproval leverages symbolic link (symlink) following, a longstanding file system behavior where a program resolves and operates on the target of a symbolic link rather than the link itself, enabling an attacker to trick privileged or sandboxed processes into accessing or modifying unintended files via deceptive paths. The symlink vulnerability has been known since early Unix days, and Wiz researchers have now demonstrated that it’s exploitable against AI coding assistants. In a GhostApproval attack, hackers plant a symbolic link in a seemingly benign repository that masquerades as a normal project file but actually points to a sensitive location outside the workspace. When a developer opens the repo in an AI coding assistant and instructs it to make edits, the agent follows the symlink and performs the write on the target specified by the attacker.Advertisement. Scroll to continue reading. Some AI coding tools fail to resolve and display the canonical path in confirmation prompts, so users approve what appears to be a harmless local change while the agent silently modifies system files. GhostApproval could allow an attacker to achieve remote code execution on the targeted developer’s machine, Wiz warned. “The symlink primitive alone is serious, but what we found goes deeper. Many of these tools have sandboxes or confirmation dialogs designed to prevent exactly this kind of attack. The dialog intercepts the write and asks the user for permission. In theory, this is the Human-in-the-Loop safety net,” Wiz researchers explained. “The failure is not just that the symlink is followed – it’s that the UI doesn’t reveal the true target.” Wiz added, “The Human-in-the-Loop security model only works if the loop provides accurate information. When an agent shows one thing and does another, user approval becomes meaningless. The confirmation dialog transforms from a security control into a formality.” The security firm reported the findings to each affected vendor in the first quarter of 2026. AWS, Google, and Cursor confirmed the vulnerability and rolled out patches. Anthropic does not view the findings as a vulnerability, but the AI company said it had added mitigations against such attacks prior to Wiz’s report. Augment and Windsurf have confirmed receipt of the vulnerability reports but have yet to release fixes, according to Wiz. The cybersecurity company on Wednesday published technical details for the GhostApproval vulnerability. Related: Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Google Patches 382 Chrome VulnerabilitiesBlueHammer Vulnerability Exploited in Ransomware AttacksNissan Employee Data Breached in Oracle PeopleSoft HackNew Controller Flaws Expose Highway Signs and Billboards to Remote HackingWhatsApp Rolling Out Username Feature to Bolster Phone Number PrivacyInsurance Regulators Group NAIC Hit in Oracle PeopleSoft HackOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIAmazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories Latest News Chrome 150 Update Patches 27 Vulnerabilities8Layers Raises $2.9 Million for Identity Security PlatformUnpatched Backdoor in Tenda Firmware Grants Admin Access to DevicesAccenture Confirms Data Breach After Hacker Claims Source Code TheftChina-Linked APT Expands Arsenal With New ‘Leash’ BackdoorsWebinar Today: Why Email Security Keeps FailingGoogle Dialogflow CX Bug Allowed Attackers to Hijack AI ConversationsCISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveSherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Entities

Claude Code (product)Amazon Q Developer (product)Cursor (product)Google Antigravity (product)Augment (product)Windsurf (product)