Wiz disclosed GhostApproval, an attack that tricks AI coding assistants into following deceptive symlinks and modifying files outside the intended workspace. The issue was tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf, with some vendors already patching the flaw. #GhostApproval #ClaudeCode #AmazonQDeveloper #Cursor #GoogleAntigravity #Augment #Windsurf
Keypoints
- GhostApproval abuses symbolic link behavior to mislead AI coding assistants.
- The attack can cause agents to write to sensitive files outside the project directory.
- Some tools fail to show the true canonical path in approval prompts.
- The flaw may enable remote code execution on a developerβs machine.
- AWS, Google, and Cursor have patched the issue, while other vendors are still reviewing it.