Security firm Wiz found one old Unix trick that breaks six popular AI coding assistants, from Amazon Q to Cursor. A booby-trapped repository can walk an agent past its own safety prompt. The payoff is a planted key that hands an attacker the developer’s machine.

An ancient bug just tripped up the newest tools. Researchers at Wiz found a flaw they call GhostApproval in six widely used AI coding agents, The Register reports. It lets a rigged repository push an agent to write files far outside its workspace. From there, it can seize the developer’s machine.

The six are Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity and Windsurf. The trick dates back decades. It abuses symbolic links, or symlinks, an old shortcut file that quietly points somewhere else.

How the trap springs

The attacker builds a poisoned repository. Inside sits a symlink dressed up as an innocent config file, say project_settings.json. It really points at the user’s SSH keys. A README then tells the agent to add a line to that “config” during setup.