One symlink trick breaks 6 top AI coding agents, from Amazon

https://media.thenextweb.com/2022/05/AI-machine-learning-backdoors.avif

Security firm Wiz found one old Unix trick that breaks six popular AI coding assistants, from Amazon Q to Cursor. A booby-trapped repository can walk an agent past its own safety prompt. The payoff is a planted key that hands an attacker the developer’s machine.

An ancient bug just tripped up the newest tools. Researchers at Wiz found a flaw they call GhostApproval in six widely used AI coding agents, The Register reports. It lets a rigged repository push an agent to write files far outside its workspace. From there, it can seize the developer’s machine.

The six are Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity and Windsurf. The trick dates back decades. It abuses symbolic links, or symlinks, an old shortcut file that quietly points somewhere else.

How the trap springs

The attacker builds a poisoned repository. Inside sits a symlink dressed up as an...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE