A systematic vulnerability in at least six of the most widely used AI coding assistants could allow attackers to break out of workspace sandboxes and execute code on a developer's machine, security researchers have warned. The flaw, named 'GhostApproval' by Google-owned security firm Wiz, exploits symbolic links — or symlinks — a decades-old Unix feature that acts as a shortcut to another file or directory.
Wiz reported the issue to Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google classified the bug as critical or high-severity and have issued fixes, with CVE trackers either already published or in progress. Augment and Windsurf acknowledged the report but have not yet patched or warned users. Anthropic added a warning after an internal review.
The attack works by creating a malicious repository containing a symlink disguised as a harmless config file, pointing instead to a sensitive system file such as ~/.ssh/authorized_keys. When a developer asks an AI agent to 'set up' the project, the agent reads the instructions and follows the symlink, writing an attacker's SSH public key to the victim's machine — granting persistent, password-less remote access. Wiz found that confirmation dialogs shown to users hid the true target of the operation, rendering the human-in-the-loop safeguard ineffective.
Maor Dokhanian, threat researcher at Wiz, said: 'In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles — like resolving symlinks before acting on paths — cannot be overlooked as we embrace new AI architectures.' While there is no evidence of active exploitation in the wild, the risk to enterprises deploying code-writing agents is significant.
For UK businesses, the implications are immediate. AI coding tools are routinely granted deep access to enterprise codebases and cloud environments, making them a prime target for supply-chain attacks. The Information Commissioner's Office (ICO) has not yet issued guidance on AI agent security, but the UK's emerging AI regulation framework, which emphasises safety and accountability, may need to address such trust-boundary failures. Meanwhile, the EU AI Act classifies high-risk AI systems, including those used in software development, requiring rigorous testing — a standard that GhostApproval would likely fail.
Experts warn that the vulnerability highlights a broader pattern: as AI agents gain autonomy, classic security principles are being overlooked. For UK developers and tech firms, the lesson is clear — sandboxing and symlink resolution must be hardcoded into AI tools, not left to user approval dialogs that can be easily fooled.