GhostApproval symlink bugs let poisoned repos write files via AI coding tools
Source headline: GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Intelligence Summary
Wiz researchers identified a symlink and permission flaw in multiple AI coding assistants. When the assistant asks to edit a harmless file, it can instead write to a sensitive target through a symlink. The issue affects tools including Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. A malicious repository could quietly gain the ability to alter developer files on the machine running the agent. Users should review agent edit permissions, avoid running untrusted repos, and update tooling when fixes are released.
Recommended Action
Review affected assets, schedule urgent remediation, and monitor related indicators.