Facebook
Britain's News Portal
Around The Clock
BREAKING
Loading latest headlines…

GhostApproval bug in AI coding tools exposes UK firms to SSH attacks

A newly discovered vulnerability in six major AI coding assistants could let attackers hijack developers' machines via malicious symlinks. The flaw, dubbed GhostApproval, bypasses human oversight by hiding the true target of file operations from confirmation dialogs.

  • Google-owned Wiz found the GhostApproval vulnerability in six AI coding assistants, including Amazon Q Developer and Anthropic Claude Code
  • Attackers can trick agents into writing to sensitive files outside the workspace sandbox, enabling remote code execution
  • Amazon, Cursor, and Google have patched the issue; Augment and Windsurf have not yet fixed it
  • The flaw exploits symbolic links, a decades-old Unix security problem, now targeting AI agents

A systematic vulnerability in at least six of the most widely used AI coding assistants could allow attackers to break out of workspace sandboxes and execute code on a developer's machine, security researchers have warned. The flaw, named 'GhostApproval' by Google-owned security firm Wiz, exploits symbolic links — or symlinks — a decades-old Unix feature that acts as a shortcut to another file or directory.

Wiz reported the issue to Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google classified the bug as critical or high-severity and have issued fixes, with CVE trackers either already published or in progress. Augment and Windsurf acknowledged the report but have not yet patched or warned users. Anthropic added a warning after an internal review.

The attack works by creating a malicious repository containing a symlink disguised as a harmless config file, pointing instead to a sensitive system file such as ~/.ssh/authorized_keys. When a developer asks an AI agent to 'set up' the project, the agent reads the instructions and follows the symlink, writing an attacker's SSH public key to the victim's machine — granting persistent, password-less remote access. Wiz found that confirmation dialogs shown to users hid the true target of the operation, rendering the human-in-the-loop safeguard ineffective.

Maor Dokhanian, threat researcher at Wiz, said: 'In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles — like resolving symlinks before acting on paths — cannot be overlooked as we embrace new AI architectures.' While there is no evidence of active exploitation in the wild, the risk to enterprises deploying code-writing agents is significant.

For UK businesses, the implications are immediate. AI coding tools are routinely granted deep access to enterprise codebases and cloud environments, making them a prime target for supply-chain attacks. The Information Commissioner's Office (ICO) has not yet issued guidance on AI agent security, but the UK's emerging AI regulation framework, which emphasises safety and accountability, may need to address such trust-boundary failures. Meanwhile, the EU AI Act classifies high-risk AI systems, including those used in software development, requiring rigorous testing — a standard that GhostApproval would likely fail.

Experts warn that the vulnerability highlights a broader pattern: as AI agents gain autonomy, classic security principles are being overlooked. For UK developers and tech firms, the lesson is clear — sandboxing and symlink resolution must be hardcoded into AI tools, not left to user approval dialogs that can be easily fooled.

Why this matters: UK developers and enterprises are among the heaviest users of AI coding assistants; a single compromised agent could expose proprietary code, cloud credentials, and customer data to attackers.

What this means for you: What this means for you: If your workplace uses AI coding tools like Amazon Q or Claude Code, your machine could be hijacked by opening a malicious project file — always verify what your AI agent is actually writing to.

Related Articles

Get the news that matters.

Join thousands of readers getting the best of British news straight to their inbox.