GhostApproval: Symlink trick lets malicious repos hijack AI coding agents, bypass human-in-the-loop safeguards
Published · updated · curated by AI Is Going Just Great
Source: theregister.com ↗
"The consent is formally present but substantively empty." — Wiz researcher Maor Dokhanian on GhostApproval's deceptive confirmation prompts
Google-owned security firm Wiz disclosed a "systematic vulnerability pattern" — dubbed GhostApproval — affecting at least six major AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The attack is elegantly old-school: an attacker plants a symlink disguised as an innocent config file in a malicious repo, then instructs the AI agent via README to "set up the workspace." The agent dutifully follows the symlink — say, to ~/.ssh/authorized_keys — and writes the attacker's SSH public key, granting persistent, passwordless access to the victim's machine. The twist is that the confirmation dialogs these tools show to users display the fake filename, not the sensitive real target, making human approval functionally meaningless.
Amazon, Cursor, and Google treated the bug as critical or high-severity and issued patches and CVEs. Augment and Windsurf acknowledged the report but had not patched at press time. Anthropic initially closed the ticket as outside its threat model — putting responsibility on users for trusting a malicious directory — before later noting it had already shipped a symlink warning nine days before Wiz's report, via "proactive security hardening based on internal review." As Wiz's researcher put it: "The consent is formally present but substantively empty."