Security researchers at Wiz have uncovered a vulnerability in six widely used AI coding agents, naming it GhostApproval. Affected tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. By crafting a malicious repository, attackers can trick these AI models into accessing arbitrary files on the system, including files outside any sandbox environment.
The Symlink Attack Vector
The attack relies on symbolic links. The Wiz researchers set up a test repository containing a file called project_settings.json. This file is not a real configuration file, but a symlink pointing to the user's SSH keys at ~/.ssh/authorized_keys.
The repository's README contains an instruction telling the AI agent to write a line to project_settings.json when setting up the workspace. That line contains the attacker's SSH key. Because the agent does not properly validate the symlink, it writes directly into the SSH authorized keys file, giving the attacker unrestricted SSH access. A variation of the attack targets the shell startup file ~/.zshrc instead.
Human in the Loop Does Not Always Help
Particularly concerning: Claude Code recognizes in its internal reasoning that project_settings.json points to another file. However, it does not surface this in the user-facing dialog, asking only "Make this edit to project_settings.json?" Other tools go further: Windsurf writes the SSH key first and asks for approval afterward. Augment shows no dialog at all.
Patch Status
Wiz reported the vulnerability to vendors in February 2026. Amazon Q Developer, Cursor, and Google Antigravity have since released updates. Patches for Augment and Windsurf are still pending. Anthropic says it has been working independently of the Wiz research to add symlink detection and warnings to Claude Code.