Researchers at Wiz uncovered a symlink vulnerability affecting six major AI coding assistants that allows malicious repositories to execute arbitrary code on a developer's machine. The flaw, named GhostApproval, exploits a permissions bypass where the tools request approval to modify a benign file but redirect writes to sensitive system locations through symbolic links.

Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf all contain this vulnerability. An attacker can craft a booby-trapped code repository that tricks developers into granting write permissions. When a developer clones the malicious repo and interacts with the AI assistant, the tool attempts to execute code or modify files. The symlink redirects these operations away from the expected target file toward critical system directories or configuration files the developer never intended to authorize.

The attack chain works because these AI coding agents operate with the developer's full system privileges. Once a malicious repository gains write access through symlink redirection, it can inject code into startup scripts, modify environment variables, install backdoors, or alter authentication credentials. A developer reviewing the repository and interacting with the AI assistant sees only the harmless file listed in the permission prompt, remaining unaware that system-critical files face modification.

This vulnerability poses significant risk to enterprises deploying these tools across development teams. Developers routinely clone unfamiliar repositories from package registries, documentation sites, and open source platforms. A single compromised or attacker-controlled project can distribute the exploit to dozens of machines within an organization. The victims need not be security-aware to fall victim. The attack requires no additional social engineering beyond standard code collaboration workflows.

The severity stems from the implicit trust developers place in AI assistants and the file-write operations these tools perform without transparent logging of actual filesystem targets. Wiz's disclosure prompted vendors to address the vulnerability,