Researchers at Wiz have identified a vulnerability impacting several popular AI coding assistants, allowing malicious code projects to surreptitiously compromise a developer’s system. This flaw, termed GhostApproval, involves the tool requesting permission to modify what appears to be an innocuous file, but actually writing to a critical one.
Overview of Affected Tools
The vulnerability affects Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. While fixes have been deployed for three of these tools, two remain unpatched, and Anthropic disputes the classification of this issue as a bug. The most vulnerable tools are those that alter files without giving the developer a chance to review the changes.
Mechanics of the Exploit
The exploit leverages an old Unix feature called a symbolic link, or symlink, which these assistants fail to properly verify. A symlink effectively redirects file operations to a different, potentially sensitive file elsewhere on the system. Wiz’s demonstration involved creating a malicious repository with a symlink disguised as project_settings.json, actually pointing to the victim’s SSH login file.
If a developer is instructed to “set up the workspace” or follow instructions in the repository’s README, the assistant unwittingly writes an attacker’s SSH key through the symlink into the login file. An alternate approach targets the shell startup file, ~/.zshrc, allowing an attacker to execute code when a terminal is opened, bypassing the need for SSH access.
Vendor Responses and Recommendations
Wiz has reported the issue to all affected vendors. Amazon, Cursor, and Google have issued fixes, while Augment and Windsurf acknowledge the problem but have yet to release solutions. Anthropic argues the vulnerability falls outside its threat model, emphasizing that developers have the responsibility to trust the folders they work with.
To mitigate risks, developers are advised to run these AI tools with restricted file permissions, use sandbox environments, and scrutinize README and config files before initiating workspace setups. Checking file modification timestamps can also alert developers to unauthorized changes.
Industry Implications and Future Outlook
This shared flaw, also identified by Adversa AI as SymJack, suggests a systemic design weakness across various coding assistants. These tools often rely on user-provided file paths for approval prompts, which can be misleading if a symlink is involved. The overlap in discovery by different research teams underscores the need for a more robust approach to file operation security in AI tools.
As AI coding assistants evolve, ensuring that approval mechanisms accurately reflect file destination is crucial. Developers must stay vigilant and implement protective practices, while vendors are encouraged to resolve symlink issues and enhance the transparency of file operations to safeguard users.
