Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique

0
Medium
Vulnerability
Published: 07/09/2026 (07/09/2026, 08:52:21 UTC)
Source: SecurityWeek

Description

GhostApproval is a newly disclosed attack method targeting AI coding assistants by exploiting a decades-old symbolic link (symlink) vulnerability. Attackers plant symlinks in repositories that appear benign but point to sensitive system files. When developers use AI coding tools to edit these repositories, the tools follow the symlinks and modify unintended files without revealing the true target in confirmation dialogs. This undermines the Human-in-the-Loop safety model, potentially allowing remote code execution on developer machines. Some affected AI coding assistants have released patches, while others have yet to do so.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 09:02:36 UTC

Technical Analysis

GhostApproval leverages the symbolic link following behavior in file systems, where programs operate on the symlink target rather than the link itself. Attackers create symlinks in seemingly normal project repositories that redirect AI coding assistants to sensitive locations outside the workspace. When developers instruct AI assistants to make edits, the assistants follow these symlinks and write to the attacker's chosen targets. Confirmation dialogs intended to prevent unauthorized writes fail to display the canonical path, misleading users into approving harmful changes. This vulnerability affects multiple AI coding assistants including Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf. AWS, Google, and Cursor have confirmed and patched the issue; Anthropic has mitigations in place and does not consider it a vulnerability; Augment and Windsurf have acknowledged the reports but not yet released fixes.

Potential Impact

Successful exploitation of GhostApproval can lead to remote code execution on a developer's machine by tricking AI coding assistants into modifying sensitive system files. The attack bypasses sandboxing and confirmation dialogs by hiding the true file paths, rendering user approval ineffective. This compromises the security of developer environments and potentially the broader systems they have access to.

Mitigation Recommendations

Patches have been released by AWS, Google, and Cursor to address this vulnerability. Anthropic has implemented mitigations and does not classify this as a vulnerability. Augment and Windsurf have acknowledged the issue but have not yet provided fixes. Users should apply available patches promptly. Until fixes are available, users should exercise caution when opening repositories from untrusted sources and verify file paths carefully. Monitor vendor advisories for updates on remediation status.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/ai-coding-tools-tricked-into-hacking-developer-machine-via-decades-old-technique/","fetched":true,"fetchedAt":"2026-07-09T09:02:31.406Z","wordCount":1178}

Threat ID: 6a4f63a768715ace43070ef8

Added to database: 07/09/2026, 09:02:31 UTC

Last enriched: 07/09/2026, 09:02:36 UTC

Last updated: 07/09/2026, 09:02:36 UTC

Views: 1

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses