GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
09 July 2026
Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead.
The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.