Several popular AI coding assistants were tricked into facilitating developer machine hacking via an attack technique that has been known for decades, according to Google-owned cloud security giant Wiz.

Dubbed GhostApproval, the attack has been successfully tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf.

GhostApproval leverages symbolic link (symlink) following, a longstanding file system behavior where a program resolves and operates on the target of a symbolic link rather than the link itself, enabling an attacker to trick privileged or sandboxed processes into accessing or modifying unintended files via deceptive paths.

The symlink vulnerability has been known since early Unix days, and Wiz researchers have now demonstrated that it’s exploitable against AI coding assistants.

In a GhostApproval attack, hackers plant a symbolic link in a seemingly benign repository that masquerades as a normal project file but actually points to a sensitive location outside the workspace.