PROBABLYPWNED
VulnerabilitiesJuly 10, 20264 min read

GhostApproval: Symlink Flaw Lets Malicious Repos Escape AI Coding Sandboxes

Wiz researchers discover six major AI coding assistants vulnerable to symlink attacks. Malicious repos can trick Claude Code, Cursor, and Amazon Q into writing files outside designated workspaces.

Marcus Chen

A vulnerability pattern affecting six major AI coding assistants allows malicious repositories to escape workspace sandboxes and write files anywhere on developer machines. Wiz researchers disclosed the flaw—dubbed GhostApproval—this week, demonstrating how attackers could inject SSH keys or modify shell configurations through nothing more than a crafted repository.

The affected tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Some vendors have patched; others have not.

How GhostApproval Works

The attack exploits a decades-old Unix feature: symbolic links. A symlink is a file that points to another file elsewhere on disk. When an application writes to a symlink, it actually writes to the target.

Wiz demonstrated the attack by creating a malicious repository containing a symlink named project_settings.json that actually pointed to ~/.ssh/authorized_keys. When a developer cloned the repository and asked their AI assistant to "set up the workspace," the agent followed the link and wrote an attacker-supplied SSH key to the real target.

The critical issue is informed consent. In several tested tools, the AI agent internally resolved the symlink to its true destination—but the approval dialog shown to the developer displayed only the harmless filename. A developer approving "write to project_settings.json" had no indication they were actually modifying their SSH configuration.

This technique follows the same trust exploitation pattern we saw in the Cursor prompt injection vulnerabilities from last week, where malicious repositories could hijack AI agents through crafted instructions.

Affected Tools and Patch Status

ToolStatusCVE
Amazon Q DeveloperFixed (v1.69.0)CVE-2026-12958
CursorFixed (v3.0)CVE-2026-50549
Google AntigravityFixed (v1.19.6)Pending
AugmentIn progress
WindsurfAcknowledged
Claude CodeDisputed

Anthropic has taken a different position from other vendors, arguing the scenario falls "outside our threat model" because developers have already explicitly trusted the folder they're working in. The company notes that symlinks are a fundamental filesystem feature and that developers cloning untrusted repositories should expect potential risks.

Attack Scenarios

Beyond SSH key injection, Wiz outlined several other exploitation paths:

  • Shell persistence — Modify ~/.bashrc or ~/.zshrc to execute arbitrary commands on terminal launch
  • Git credential theft — Overwrite ~/.git-credentials to capture tokens
  • Editor extensions — Install malicious VS Code extensions through configuration file manipulation
  • CI/CD poisoning — Modify local workflow files to inject commands into pipelines

The common thread is that developers trust their AI assistants to operate within project boundaries. GhostApproval breaks that assumption.

Detection and Mitigation

Developers using affected tools should:

  1. Update immediately — If patches are available for your tool, install them
  2. Audit sensitive files — Check timestamps on ~/.ssh/authorized_keys, shell RC files, and Git credentials after working with unfamiliar repositories
  3. Review symlinks before cloning — Run find . -type l in cloned repositories to identify symlinks
  4. Consider repository trust levels — Treat cloning an unknown repository like running unknown code

The ChocoPOC campaign we covered earlier this week already demonstrated that malicious repositories are an active attack vector against developers. GhostApproval adds another dimension: even without executing code, simply asking an AI assistant to help configure a project can compromise the host machine.

Why This Matters

AI coding assistants are rapidly becoming standard development infrastructure. GitHub reports that Copilot now writes a significant percentage of code in repositories using it. Amazon, Google, and Anthropic are all competing to make their assistants indispensable.

But these tools operate with implicit trust. When a developer grants an AI assistant write access to their workspace, they expect that access to stay bounded. GhostApproval demonstrates that the boundary isn't as solid as it appears.

The dispute over whether this is a vulnerability or expected behavior reflects a deeper question about AI tool threat modeling. Traditional software has clear security boundaries documented in threat models. AI assistants operating on user instruction are inherently more flexible—and that flexibility can be exploited.

Wiz's full technical writeup includes additional details on the discovery and responsible disclosure timeline.

Related Articles