One symlink trick breaks 6 top AI coding agents, from Amazon Security firm Wiz discovered a flaw called GhostApproval in six popular AI coding assistants—Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf—that allows a booby-trapped repository to trick the agent into writing files outside its workspace, potentially giving attackers access to the developer's machine. The exploit abuses Unix symbolic links and a UI that misrepresents the true destination of file operations, undermining the human-in-the-loop safety mechanism. Amazon, Cursor, and Google have patched the issue, while Augment and Windsurf have not yet shipped fixes, and Anthropic deemed it outside its threat model. Security firm Wiz found one old Unix trick that breaks six popular AI coding assistants, from Amazon Q to Cursor. A booby-trapped repository can walk an agent past its own safety prompt. The payoff is a planted key that hands an attacker the developer’s machine. An ancient bug just tripped up the newest tools. Researchers at Wiz found a flaw they call GhostApproval https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants in six widely used AI coding agents, The Register reports https://www.theregister.com/security/2026/07/08/bug-in-top-ai-coding-agents-shows-that-unix-era-security-headaches-never-really-die/5268025 . It lets a rigged repository push an agent to write files far outside its workspace. From there, it can seize the developer’s machine. The six are Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity and Windsurf. The trick dates back decades. It abuses symbolic links, or symlinks, an old shortcut file that quietly points somewhere else. How the trap springs The attacker builds a poisoned repository. Inside sits a symlink dressed up as an innocent config file, say project settings.json. It really points at the user’s SSH keys. A README then tells the agent to add a line to that “config” during setup. A developer clones the repo and asks the agent to “set up the workspace.” The agent follows the README and writes an attacker-controlled SSH key into the real keys file. That hands the attacker quiet, password-free access to the machine. It mirrors an earlier booby-trapped-repo flaw https://thenextweb.com/news/amazon-q-developer-mcp-flaw-aws-credentials-stolen in Amazon Q. The rubber-stamp problem Most of these tools show a confirmation box before risky actions. Wiz found the box lied by omission. The agents spotted that the symlink pointed somewhere dangerous. Yet the prompt hid the real target, showing only the harmless file name. Claude Code handled it worst. Its own reasoning noted the file was really a shell config. Then it asked the user, “Make this edit to project settings.json?” Wiz called that consent “substantively empty.” It logs the hidden prompt as a second, separate flaw: a UI that misrepresents what you approve. It is the same weak spot that lets attackers hijack coding agents https://thenextweb.com/news/agentjacking-ai-coding-agents-sentry and trick them into leaking https://thenextweb.com/news/gitlost-github-ai-agent-leaks-private-repos private code. Who fixed it, who shrugged Amazon, Cursor and Google treated it as a real bug. Amazon issued a CVE and patched Q Developer. Cursor did the same in version 3.0. Google fixed Antigravity in May. Augment and Windsurf called it critical but had not shipped a patch at press time. Anthropic https://thenextweb.com/news/alibaba-bans-claude-code-anthropic-tracking-chinese-users pushed back, calling the scenario “outside our threat model” because the user had trusted the directory. Its triage system closed the ticket as “informative.” Anthropic later told Wiz its fix predates the report. Claude Code’s symlink warning shipped on 5 February, nine days before Wiz filed, as proactive hardening. Why it matters Enterprises hand these agents deep access https://thenextweb.com/news/upwind-ai-sensor-endpoints-mcp-cloud-security to their code and cloud. When the safety prompt hides the danger, human-in-the-loop becomes a rubber stamp. Vendors and researchers now split on the fix: protect users from deceptive repos, or treat that as the developer’s job. Either way, one lesson holds. New AI plumbing still trips over the oldest bugs. Get the TNW newsletter Get the most important tech news in your inbox each week.