AI Coding Tools at Risk: Symlink Flaw Lets Hackers Run Code
Michael Miller ·
Listen to this article~4 min
Researchers at Wiz found a symlink flaw in six AI coding assistants, including Amazon Q Developer and Claude Code, that lets malicious repos execute code on a developer's machine by tricking the assistant into writing to a sensitive file.
Imagine you're working on a project, and your AI coding assistant asks for permission to edit a file that looks perfectly harmless. You click "yes," but instead of tweaking that innocuous document, the write operation lands on a sensitive system file—giving an attacker full control of your machine. That's exactly what researchers from Wiz uncovered: a symlink vulnerability affecting six popular AI coding assistants.
The flaw, dubbed GhostApproval, exploits how these tools handle symbolic links (symlinks) during file operations. When a developer imports a malicious repository, the assistant might ask permission to modify a file like "README.md." But behind the scenes, a symlink redirects that write to a critical configuration file—like your SSH keys or bash profile. The result? Remote code execution without the developer ever realizing something's wrong.
### Which Tools Are Affected?
The following AI coding assistants are vulnerable to this attack:
- Amazon Q Developer
- Anthropic's Claude Code
- Augment
- Cursor
- Google Antigravity
- Windsurf
If you use any of these tools, it's crucial to understand the risk and take precautions.
### How the Attack Works
The attack chain is surprisingly simple. A malicious actor creates a repository that contains a symlink pointing from a harmless-looking file to a sensitive one on your system. When you open the repo in your AI assistant, the tool asks for permission to edit the harmless file. You approve, thinking it's safe. But because of the symlink, the write actually modifies the target sensitive file. From there, the attacker can execute arbitrary code on your machine.
> "The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead." — Wiz Research Team
This is particularly dangerous because developers often trust AI assistants to handle file operations safely. The vulnerability bypasses that trust by exploiting a fundamental feature of the file system.
### Why This Matters for Developers
For developers using AI coding tools, this flaw represents a new class of supply chain attack. You're not just trusting the code you write—you're trusting the repository you import. Even if the code itself is benign, the symlink structure can turn it into a weapon. This is especially concerning for teams working with open-source repos or code from unverified sources.
### How to Protect Yourself
Until patches are released, here are some practical steps you can take:
- **Review file permissions carefully.** Before approving any write operation, check the destination path. If it doesn't match the file displayed, deny it.
- **Use sandboxed environments.** Run AI assistants in isolated containers or virtual machines where sensitive system files are protected.
- **Audit repositories before importing.** Scan for unexpected symlinks or hidden file structures.
- **Stay updated.** The affected tools are likely to release patches soon. Enable automatic updates to get them as soon as they're available.
### The Bigger Picture
This isn't just a bug—it's a wake-up call. As AI coding assistants become more integrated into our workflows, they introduce new attack surfaces. The convenience of letting an AI edit files comes with the risk of that trust being abused. Developers need to adopt a zero-trust mindset: assume every repository could be malicious until proven otherwise.
The GhostApproval flaw is a reminder that security isn't just about writing safe code—it's about understanding how your tools interact with your system. Stay vigilant, and don't let convenience compromise your security.
A deeper breakdown of GoLogin Review 2026 — Fast, affordable anti-detect browser with cloud profiles - real examples, numbers, and what actually works.
A deeper breakdown of Undetectable.io Review 2026 — Unlimited local profiles with solid fingerprint masking - real examples, numbers, and what actually works.