GhostApproval Symlink Vulnerability Allows Malicious Repos to Execute Code in AI Coding Assistants
A vulnerability named GhostApproval allows malicious repositories to execute code in AI coding assistants by exploiting symlink flaws, enabling unauthorized access to sensitive files. Affected tools include Amazon Q Developer, Anthropic's Claude Code, and others, with some vendors having released fixes while others dispute the issue's severity.
Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead.
The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
*** END OF TRANSMISSION ***