GhostApproval: Symlink Flaw Lets Malicious Repos Escape AI Coding Sandboxes
Wiz researchers discover six major AI coding assistants vulnerable to symlink attacks. Malicious repos can trick Claude Code, Cursor, and Amazon Q into writing files outside designated workspaces.
A vulnerability pattern affecting six major AI coding assistants allows malicious repositories to escape workspace sandboxes and write files anywhere on developer machines. Wiz researchers disclosed the flaw—dubbed GhostApproval—this week, demonstrating how attackers could inject SSH keys or modify shell configurations through nothing more than a crafted repository.
The affected tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Some vendors have patched; others have not.
How GhostApproval Works
The attack exploits a decades-old Unix feature: symbolic links. A symlink is a file that points to another file elsewhere on disk. When an application writes to a symlink, it actually writes to the target.
Wiz demonstrated the attack by creating a malicious repository containing a symlink named project_settings.json that actually pointed to ~/.ssh/authorized_keys. When a developer cloned the repository and asked their AI assistant to "set up the workspace," the agent followed the link and wrote an attacker-supplied SSH key to the real target.
The critical issue is informed consent. In several tested tools, the AI agent internally resolved the symlink to its true destination—but the approval dialog shown to the developer displayed only the harmless filename. A developer approving "write to project_settings.json" had no indication they were actually modifying their SSH configuration.
This technique follows the same trust exploitation pattern we saw in the Cursor prompt injection vulnerabilities from last week, where malicious repositories could hijack AI agents through crafted instructions.
Affected Tools and Patch Status
| Tool | Status | CVE |
|---|---|---|
| Amazon Q Developer | Fixed (v1.69.0) | CVE-2026-12958 |
| Cursor | Fixed (v3.0) | CVE-2026-50549 |
| Google Antigravity | Fixed (v1.19.6) | Pending |
| Augment | In progress | — |
| Windsurf | Acknowledged | — |
| Claude Code | Disputed | — |
Anthropic has taken a different position from other vendors, arguing the scenario falls "outside our threat model" because developers have already explicitly trusted the folder they're working in. The company notes that symlinks are a fundamental filesystem feature and that developers cloning untrusted repositories should expect potential risks.
Attack Scenarios
Beyond SSH key injection, Wiz outlined several other exploitation paths:
- Shell persistence — Modify
~/.bashrcor~/.zshrcto execute arbitrary commands on terminal launch - Git credential theft — Overwrite
~/.git-credentialsto capture tokens - Editor extensions — Install malicious VS Code extensions through configuration file manipulation
- CI/CD poisoning — Modify local workflow files to inject commands into pipelines
The common thread is that developers trust their AI assistants to operate within project boundaries. GhostApproval breaks that assumption.
Detection and Mitigation
Developers using affected tools should:
- Update immediately — If patches are available for your tool, install them
- Audit sensitive files — Check timestamps on
~/.ssh/authorized_keys, shell RC files, and Git credentials after working with unfamiliar repositories - Review symlinks before cloning — Run
find . -type lin cloned repositories to identify symlinks - Consider repository trust levels — Treat cloning an unknown repository like running unknown code
The ChocoPOC campaign we covered earlier this week already demonstrated that malicious repositories are an active attack vector against developers. GhostApproval adds another dimension: even without executing code, simply asking an AI assistant to help configure a project can compromise the host machine.
Why This Matters
AI coding assistants are rapidly becoming standard development infrastructure. GitHub reports that Copilot now writes a significant percentage of code in repositories using it. Amazon, Google, and Anthropic are all competing to make their assistants indispensable.
But these tools operate with implicit trust. When a developer grants an AI assistant write access to their workspace, they expect that access to stay bounded. GhostApproval demonstrates that the boundary isn't as solid as it appears.
The dispute over whether this is a vulnerability or expected behavior reflects a deeper question about AI tool threat modeling. Traditional software has clear security boundaries documented in threat models. AI assistants operating on user instruction are inherently more flexible—and that flexibility can be exploited.
Wiz's full technical writeup includes additional details on the discovery and responsible disclosure timeline.
Related Articles
Amazon Q Developer Flaw Let Attackers Steal AWS Credentials via Repos
CVE-2026-12957 and CVE-2026-12958 enabled code execution and AWS credential theft when developers opened malicious repositories. Patch auto-applied for most users.
Jun 28, 2026Cursor AI Flaws Let Prompt Injection Escape Sandbox for RCE
Two CVSS 9.8 vulnerabilities in the popular AI code editor allow zero-click attacks where malicious instructions in external data sources execute arbitrary commands on developer machines.
Jul 3, 2026LiteLLM SQL Injection Exploited 36 Hours After Disclosure—CISA Issues Deadline
CVE-2026-42208, a CVSS 9.3 pre-auth SQL injection in the LiteLLM LLM gateway, was weaponized within 36 hours of disclosure. CISA added it to KEV with a May 11 federal deadline.
May 11, 2026One Researcher, Four Critical RCE Bugs in AI Frameworks
Security researcher Valentin Lobstein discovers CVSS 9.8 pickle deserialization vulnerabilities in LeRobot, ktransformers, and LightLLM. ML frameworks using pickle for network serialization create widespread attack surface.
Apr 26, 2026