The GhostApproval bug disrupts six leading AI coding agents.

The GhostApproval bug disrupts six leading AI coding agents.

      The security company Wiz has discovered an old Unix technique that compromises six popular AI coding assistants, including Amazon Q and Cursor. A malicious repository can trick an agent into bypassing its safety prompt, leading to the installation of a key that gives an attacker access to the developer’s machine.

      The researchers at Wiz identified a flaw they have named GhostApproval affecting six widely used AI coding tools, according to The Register. This flaw allows a manipulated repository to push an agent to create files well outside its designated workspace, ultimately enabling an attacker to gain control of the developer’s machine.

      The six affected tools are Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. This tactic relies on a decades-old exploit involving symbolic links, or symlinks, which are shortcuts that redirect to another location silently.

      Here’s how the trap is set:

      An attacker creates a compromised repository containing a symlink disguised as a seemingly innocuous configuration file, such as project_settings.json. In reality, it links to the user’s SSH keys. A README instructs the agent to insert a line into that "config" file during the setup.

      When a developer clones the repository and prompts the agent to "set up the workspace," the agent follows the README and unwittingly adds an attacker-controlled SSH key to the actual keys file. This grants the attacker silent, password-free access to the machine, similar to a previous vulnerability found in Amazon Q’s booby-trapped repository.

      The issue with confirmation prompts:

      Most of these tools display a confirmation box prior to executing risky actions. However, Wiz found that these prompts were misleading. The agents recognized that the symlink was pointing to a risky location, but the prompt obscured the actual target by only showing the benign file name.

      Claude Code exhibited the most significant shortcomings. Its reasoning acknowledged that the file was actually a shell config. It then asked the user, “Make this edit to project_settings.json?” Wiz criticized this implied consent as “substantively empty.” It noted the misleading prompt as a second, separate issue: a UI that misrepresents what users are approving. This vulnerability is the same one that allows attackers to manipulate coding agents and deceive them into leaking private code.

      Responses from companies:

      Amazon, Cursor, and Google addressed the issue seriously. Amazon issued a CVE and fixed Q Developer, while Cursor implemented a similar patch in version 3.0. Google resolved the issue in Antigravity in May. Augment and Windsurf deemed it critical but had not released a patch at the time of the report.

      Anthropic, on the other hand, dismissed the scenario as “outside our threat model,” suggesting users had trusted the repository. Its triage system classified the ticket as “informative.” Anthropic later informed Wiz that its fix had been implemented prior to the report, with Claude Code’s symlink warning released on February 5, nine days before Wiz's filing, as a proactive measure.

      The significance of these findings:

      Organizations grant these agents extensive access to their code and cloud environments. When safety prompts fail to reveal the potential dangers, the human oversight becomes merely a formality. Vendors and researchers now have differing opinions on the solution: whether to safeguard users from deceptive repositories or to consider that the developer's responsibility. Regardless, the overarching lesson is clear: new AI systems can still fall victim to the oldest vulnerabilities.

Other articles

Mark Cuban: Lovable and Replit have the potential to outlast AI labs. Mark Cuban: Lovable and Replit have the potential to outlast AI labs. During the RAISE Summit, Mark Cuban expressed that vibe-coding tools such as Lovable and Replit can endure in the market against Anthropic and OpenAI by focusing on controlling the workflow rather than merely the code. Perplexity is discreetly developing a coding tool powered by AI. Perplexity is discreetly developing a coding tool powered by AI. Perplexity has developed an internal coding tool referred to as "Teammate," which may compete with Cursor and Claude Code, according to Business Insider. The launch has not yet been confirmed. Cloudflare and OpenAI are collaborating on a project to enhance the freshness of AI search results. Cloudflare and OpenAI are collaborating on a project to enhance the freshness of AI search results. Cloudflare is collaborating with OpenAI to integrate real-time network signals into ChatGPT's search, marking a shift for a company that was founded on preventing AI crawlers. CEO of ElevenLabs discusses $600 million in revenue and the AI laboratories. CEO of ElevenLabs discusses $600 million in revenue and the AI laboratories. At the RAISE Summit in Paris, Mati Staniszewski, the CEO of ElevenLabs, elaborated on the company's journey towards achieving a reported $600 million in revenue and discussed the startup's strategy for surpassing the AI laboratories. Gartner has found that customers favor ChatGPT over company chatbots. Gartner has found that customers favor ChatGPT over company chatbots. According to Gartner, customers are three times more likely to utilize third-party generative AI such as ChatGPT for support compared to company chatbots, as the returns on AI investments are slower than the expenditures. Only 6% of managers in the UK believe that Gen Z is prepared for the workforce. Only 6% of managers in the UK believe that Gen Z is prepared for the workforce. A CMI report reveals that 45% of UK Gen Z believe they are prepared for the workforce, while only 6% of managers concur. Furthermore, 82% of these managers were promoted without any training.

The GhostApproval bug disrupts six leading AI coding agents.

Wiz's 'GhostApproval' employs an outdated symlink technique to enable six AI coding agents, ranging from Amazon Q to Cursor, to operate beyond the sandbox and transfer ownership of the box.