GhostApproval exposed failed file-access safeguards in six AI coding assistants

Tombstone icon

Wiz found GhostApproval across six AI coding assistants: malicious repositories could hide symbolic links that redirected agent file operations outside the workspace. Wiz demonstrated misleading approval paths in some products, writes before meaningful approval in others, and silent external access in another. At the July disclosure, three vendors had fixed their reported issues, two had not announced fixes, and Anthropic disputed the classification. The Hacker News reported no sign of real-world use.

Incident Details

Severity:Catastrophic
Company:Amazon, Anthropic, Augment, Cursor, Google, and Windsurf
Perpetrator:AI coding assistants
Incident Date:
Blast Radius:Developers using six tested AI coding assistants faced misleading approvals, writes before approval, or silent access outside the project workspace

Approval showed the wrong file

Wiz published GhostApproval on July 8, 2026 after testing Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The research began with a malicious repository. A developer cloned it, opened it with a coding assistant, and asked the agent to follow the setup instructions. The repository contained hostile instructions and a file that was not what its name suggested. Here, prompt injection meant text inside repository material being treated as instructions for the agent.

Some products asked the developer to approve a change to a harmless-looking project file. The actual write landed in a sensitive file outside the project. Others touched the sensitive file before presenting anything that resembled approval. Augment, in Wiz's tests, could read and write outside the workspace without asking at all.

Each product failed differently. In every case, the assistant received authority over files while its path checks or approval design failed to tell the developer where that authority was being used. The Hacker News reported no sign of GhostApproval being used in real attacks as of July 9. That statement describes the reporting available then; neither Wiz's post nor Cursor's advisory can prove exploitation never happened.

An old filesystem trick met a new operator

A symbolic link is a filesystem shortcut that redirects one path to another. A file named project_settings.json inside a repository can therefore point to ~/.ssh/authorized_keys, a file that controls key-based Secure Shell access, or to ~/.zshrc, a script loaded when a user starts the Z shell. Software that writes to the shortcut may change the destination instead.

Symbolic-link attacks predate AI by decades. Wiz applied that old filesystem feature to a new kind of operator: a coding assistant that reads repository instructions, edits files with the developer's permissions, and often performs routine setup work with little intervention.

In the proof of concept, the malicious repository's instructions told the assistant to update the innocent-looking settings file with an attacker's Secure Shell public key. Following the link placed that key in the developer's authorization file. If the machine exposed a reachable Secure Shell service, the key could allow passwordless access. A second demonstrated target was a shell startup file, where an attacker-chosen command could run when the developer opened a terminal. Remote code execution means causing code chosen by an attacker to run on another person's machine. Those paths explain the Catastrophic rating as potential harm, even though this disclosure concerned controlled demonstrations rather than identified victims.

Some agents recognized what the screen hid

The ugliest detail appeared in specific Wiz demonstrations where the product had enough information to notice the redirect but did not give that information to the developer at the useful moment.

Wiz showed Claude Code reasoning that the named project file was really linked to a sensitive configuration file. Its approval prompt still named only project_settings.json. Wiz also reported that Amazon Q identified the symbolic link in its reasoning, then made the change before offering an Undo control. In an Augment demonstration, the chat acknowledged that the apparent project file was actually a Z shell configuration file and then wrote to it without a consent dialog.

That evidence applies to those demonstrations. It does not establish that every tested agent recognized every destination, nor that a model reliably understands symbolic links. The narrower point is worse for the approval interface anyway: information available inside the system did not consistently reach the person expected to make the security decision.

Six assistants, several failure modes

Amazon Q Developer wrote before authorization in Wiz's test. The interface offered Undo after the file operation, which is recovery rather than consent. Amazon Web Services fixed its reported issue in language server version 1.69.0.

Claude Code displayed the project-facing link name in the demonstrated prompt while its reasoning identified a sensitive destination. Anthropic disputed Wiz's vulnerability classification. It argued that the user had already trusted the directory and approved the edit, and pointed out that a symbolic-link warning had shipped before Wiz submitted the report.

Augment silently followed symbolic links for both reads and writes in Wiz's demonstrations. The researchers showed it reading a credential file outside the project into chat and writing through links without a permission dialog. Augment acknowledged the reports but had not announced a public fix by the July disclosure.

Cursor's displayed change referred to the link inside the project; accepting it allowed the operation to reach the resolved file elsewhere. Cursor fixed the reported issue in version 3.0. Its security advisory also documents failed path resolution that could permit writes outside the workspace, which the patched version blocks.

Google Antigravity likewise showed the repository path rather than the final destination in Wiz's approval test. Google fixed the reported issue before publication. This was separate from Antigravity's earlier find_by_name flaw, where a prompt-injected search parameter could become an execution route.

Windsurf placed changes on disk before its Accept and Reject controls appeared. At that point the buttons could reverse a write, but could not prevent it. Windsurf acknowledged the report without a public fix by publication. The same malicious-repository setup exposed several ways an assistant can make supposed human review incomplete or late. The products did not behave identically.

Human review without material facts

Approval is useful only before an action and only when the person sees the facts that determine its risk. A prompt that says project_settings.json while the write will land in a shell startup file hides the decisive destination. A button shown after the write is an undo feature wearing an authorization badge. No button at all is at least less confused about the arrangement.

The malicious repository remains an important precondition. GhostApproval was not a claim that any stranger on the internet could rewrite any developer's machine at will. The developer had to bring hostile repository content into one of the tested assistants and let the agent act on it. That is also a routine use case for coding agents. Developers use them to understand unfamiliar projects, follow setup notes, and repair code they did not write. Requiring the developer to trust an unfamiliar repository before the assistant helps inspect it assumes the material is safe before the developer has used the tool to evaluate it.

A sound approval flow resolves the true destination before acting, warns when that destination sits outside the workspace, and blocks the write until permission is granted. The user should not have to inspect filesystem metadata separately to discover that the product's filename is technically true only at the least useful layer.

Amazon Q was already catalogued

Vibe Graveyard already covered Amazon Q's missing symbolic-link validation in the story about its separate Model Context Protocol auto-execution flaw. The symbolic-link flaw is tracked as CVE-2026-12958 in the Common Vulnerabilities and Exposures catalog. The Amazon finding is supporting evidence here rather than a newly discovered incident being counted twice.

By the time an approval prompt appeared, the agent had already interpreted repository instructions and chosen a tool. If the interface omitted those decisions, the developer was being asked to consent without the information needed to judge the action.

GhostApproval and IDEsaster differ

IDEsaster documented agents writing files that weaponized legitimate editor features. A generated settings file or workspace configuration could cause the underlying editor to fetch data or execute a program after the write. GhostApproval concerns an earlier boundary: where an agent's read or write actually lands, what the approval screen identifies, and whether the operation occurs before approval.

The product-specific stories differ too. Cursor's MCPoison involved approval that survived later changes to an executable Model Context Protocol configuration. Windsurf's earlier path-traversal story involved agent tools accepting paths outside the workspace despite restrictive settings. Claude Code's project-file incident involved hooks and shared configuration that could execute commands. GhostApproval uses a symbolic link to make one visible path resolve to another, then examines whether six assistants enforced and described that destination correctly.

Ordinary symbolic-link handling became site-worthy here because coding assistants were entrusted to operate across a developer's filesystem and their human-review controls did not consistently govern that power. Giving an agent file authority and calling its confirmation box a safeguard is cheap. Making the box appear before the action and show the resolved destination is the engineering work.

Discussion