GhostApproval Flaws Let Top AI Coding Tools Write Outside Workspaces
A malicious code repository can abuse symbolic links to push several popular AI coding assistants beyond their approved workspace, according to new research from Wiz. The vulnerability pattern, named GhostApproval, affected tools from Amazon, Anthropic, Augment, Cursor, Google, Windsurf, and Cognition, with outcomes including misleading approval prompts to file changes made before users could respond.
Wiz researchers found that by using symbolic links, commonly known as symlinks, attackers could disguise repositories’ sensitive system files as ordinary project files. When an AI assistant followed the link, an edit presented as a change to a local configuration file could reach files such as ~/.ssh/authorized_keys or ~/.zshrc outside the project directory.
In one proof of concept, a repository included a file named project_settings.json that pointed to the developer’s SSH authorization file. Instructions in the repository asked the coding assistant to add configuration data, but the supplied content was an attacker-controlled SSH public...
Copyright of this story solely belongs to hackread.com. To see the full text click HERE