Particle.news
Download on the App Store

GhostApproval: Symlink Flaw Lets Malicious Repos Trick AI Coding Assistants

Researchers say deceptive symbolic links can make assistants write into sensitive system files and turn approval prompts into a meaningless step.

Overview

  • Wiz published technical research on July 8–9 showing that a class of attacks called GhostApproval can make AI coding assistants edit files outside a project without users realizing it.
  • The attack uses a symbolic link, a decades-old file system feature, so an assistant that follows the link writes to the link’s actual target such as ~/.ssh/authorized_keys or ~/.zshrc.
  • Wiz found the biggest failure is the approval UI: prompts often show the harmless-looking repo path while the agent has already resolved and will write to the real sensitive path.
  • Vendor responses vary: Amazon Q Developer, Cursor and Google Antigravity released fixes and CVEs; Augment and Windsurf acknowledged the report but had not patched as of publication; Anthropic says it shipped warnings earlier and disputes calling the issue a vulnerability.
  • Wiz and others urge fixes that resolve canonical paths before prompting, block or flag writes outside the workspace, delay disk writes until explicit approval, run agents with limited file access or in sandboxes, and advise developers to inspect unfamiliar repos and check timestamps on key files.