Home Risk & Resilience GhostApproval Flaw Exposes AI Coding Assistants To Malicious Repository Code Execution Risks

GhostApproval Flaw Exposes AI Coding Assistants To Malicious Repository Code Execution Risks

0
GhostApproval Flaw Exposes AI Coding Assistants To Malicious Repository Code Execution Risks

Security researchers at Wiz have disclosed a new vulnerability pattern named GhostApproval that affects several popular AI coding assistants and could allow malicious repositories to execute unauthorized actions on developers’ systems. The issue impacts Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. According to the researchers, the flaw can be exploited by creating a booby trapped code repository that tricks an AI coding assistant into modifying a seemingly harmless file while the changes are actually written to a sensitive system file. Wiz published its findings on July 8 and stated that three of the affected vendors have already released fixes, while two are still working on patches and Anthropic disputes that the behavior constitutes a vulnerability.

The attack technique relies on symbolic links, commonly known as symlinks, which are references that point one file path to another location on a system. Researchers created a malicious repository containing a symlink named project_settings.json that secretly pointed to the victim’s SSH login file, specifically the authorized keys file. The repository’s instructions directed the AI assistant to add a line to the configuration file, but the inserted line was actually an attacker’s SSH key disguised as a harmless setting. If the affected machine is running an accessible SSH service, the attacker could potentially gain remote access without requiring a password. Researchers also demonstrated a second scenario in which the attack targeted the shell startup file, allowing malicious commands to execute the next time a terminal session is opened. Wiz emphasized that there is currently no evidence that the technique has been used in real world attacks and described the findings as security research intended to highlight a broader design weakness.

The researchers argued that the primary issue lies in how AI coding assistants present approval prompts to users. In many cases, the approval dialog displays only the harmless file name rather than the actual destination file being modified through the symlink. Testing showed that some assistants were aware of the true destination internally but still presented misleading information to the user. Wiz described this as an informed consent bypass because users approve an action without understanding its real impact. Certain tools were found to be even more exposed. Windsurf reportedly writes changes to disk before the user has an opportunity to accept or reject the modification, effectively turning the prompt into an undo mechanism rather than a preventive control. Augment, according to the researchers, displayed no approval dialog at all and was demonstrated reading sensitive files located outside the project directory.

Among the affected products, Amazon Q Developer addressed the issue in Language Server version 1.69.0 under CVE 2026 12958, Cursor fixed the flaw in version 3.0 under CVE 2026 50549, and Google Antigravity also released a patch with a CVE identifier still pending. Augment and Windsurf acknowledged the findings but have not yet issued fixes, while Anthropic maintained that the scenario falls outside its threat model because users had already trusted the repository and approved the action. The disclosure follows earlier research from Adversa AI, which identified a similar symlink and approval pattern known as SymJack affecting multiple coding assistants. Researchers say the repeated discovery of these issues indicates a shared design weakness across AI development tools rather than isolated implementation problems. The findings also come after reports of the Miasma worm planting AI agent configuration files in Microsoft Azure repositories to execute payloads when projects were opened in tools such as Claude Code, Cursor, and Gemini, highlighting growing concerns about the security implications of increasingly autonomous coding assistants.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.