AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
GhostApproval is a newly disclosed attack method targeting AI coding assistants by exploiting a decades-old symbolic link (symlink) vulnerability. Attackers plant symlinks in repositories that appear benign but point to sensitive system files. When developers use AI coding tools to edit these repositories, the tools follow the symlinks and modify unintended files without revealing the true target in confirmation dialogs. This undermines the Human-in-the-Loop safety model, potentially allowing remote code execution on developer machines. Some affected AI coding assistants have released patches, while others have yet to do so.
AI Analysis
Technical Summary
GhostApproval leverages the symbolic link following behavior in file systems, where programs operate on the symlink target rather than the link itself. Attackers create symlinks in seemingly normal project repositories that redirect AI coding assistants to sensitive locations outside the workspace. When developers instruct AI assistants to make edits, the assistants follow these symlinks and write to the attacker's chosen targets. Confirmation dialogs intended to prevent unauthorized writes fail to display the canonical path, misleading users into approving harmful changes. This vulnerability affects multiple AI coding assistants including Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf. AWS, Google, and Cursor have confirmed and patched the issue; Anthropic has mitigations in place and does not consider it a vulnerability; Augment and Windsurf have acknowledged the reports but not yet released fixes.
Potential Impact
Successful exploitation of GhostApproval can lead to remote code execution on a developer's machine by tricking AI coding assistants into modifying sensitive system files. The attack bypasses sandboxing and confirmation dialogs by hiding the true file paths, rendering user approval ineffective. This compromises the security of developer environments and potentially the broader systems they have access to.
Mitigation Recommendations
Patches have been released by AWS, Google, and Cursor to address this vulnerability. Anthropic has implemented mitigations and does not classify this as a vulnerability. Augment and Windsurf have acknowledged the issue but have not yet provided fixes. Users should apply available patches promptly. Until fixes are available, users should exercise caution when opening repositories from untrusted sources and verify file paths carefully. Monitor vendor advisories for updates on remediation status.
AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
Description
GhostApproval is a newly disclosed attack method targeting AI coding assistants by exploiting a decades-old symbolic link (symlink) vulnerability. Attackers plant symlinks in repositories that appear benign but point to sensitive system files. When developers use AI coding tools to edit these repositories, the tools follow the symlinks and modify unintended files without revealing the true target in confirmation dialogs. This undermines the Human-in-the-Loop safety model, potentially allowing remote code execution on developer machines. Some affected AI coding assistants have released patches, while others have yet to do so.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GhostApproval leverages the symbolic link following behavior in file systems, where programs operate on the symlink target rather than the link itself. Attackers create symlinks in seemingly normal project repositories that redirect AI coding assistants to sensitive locations outside the workspace. When developers instruct AI assistants to make edits, the assistants follow these symlinks and write to the attacker's chosen targets. Confirmation dialogs intended to prevent unauthorized writes fail to display the canonical path, misleading users into approving harmful changes. This vulnerability affects multiple AI coding assistants including Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf. AWS, Google, and Cursor have confirmed and patched the issue; Anthropic has mitigations in place and does not consider it a vulnerability; Augment and Windsurf have acknowledged the reports but not yet released fixes.
Potential Impact
Successful exploitation of GhostApproval can lead to remote code execution on a developer's machine by tricking AI coding assistants into modifying sensitive system files. The attack bypasses sandboxing and confirmation dialogs by hiding the true file paths, rendering user approval ineffective. This compromises the security of developer environments and potentially the broader systems they have access to.
Mitigation Recommendations
Patches have been released by AWS, Google, and Cursor to address this vulnerability. Anthropic has implemented mitigations and does not classify this as a vulnerability. Augment and Windsurf have acknowledged the issue but have not yet provided fixes. Users should apply available patches promptly. Until fixes are available, users should exercise caution when opening repositories from untrusted sources and verify file paths carefully. Monitor vendor advisories for updates on remediation status.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/ai-coding-tools-tricked-into-hacking-developer-machine-via-decades-old-technique/","fetched":true,"fetchedAt":"2026-07-09T09:02:31.406Z","wordCount":1178}
Threat ID: 6a4f63a768715ace43070ef8
Added to database: 07/09/2026, 09:02:31 UTC
Last enriched: 07/09/2026, 09:02:36 UTC
Last updated: 07/09/2026, 09:02:36 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.