Wiz says GhostApproval abuses symlinks so AI coding agents write to SSH keys or shell startup files while showing benign paths.

'GhostApproval' problem highlights human-in-the-loop fails

Wiz's 'GhostApproval' uses an old symlink trick to make six AI coding agents, from Amazon Q to Cursor, write outside the sandbox and hand over the box.

Wiz says GhostApproval abuses symlinks so AI coding agents write to SSH keys or shell startup files while showing benign paths.

AI Now’s Friendly Fire PoC shows Claude Code and Codex running README-planted payloads on hosts when autonomous command approval is enabled.

Several AI coding assistants were tricked into facilitating developer machine hacking via an attack technique that has been known for decades.