A trick in six AI coding helpers lets a poisoned project hijack your laptop

Researchers at Wiz found that popular AI coding assistants, including Amazon Q Developer and Claude Code, can be fooled into writing to sensitive files while asking permission for a harmless one.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial shot of a modern developer workstation at dusk, two large monitors glowing with abstract code editor windows, a small permission
Share

Key points

  • Researchers at Wiz disclosed a flaw affecting six widely used AI coding assistants that lets a malicious code project quietly take over a developer's computer.
  • The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
  • The assistant shows the developer a permission prompt for one harmless file, but the actual write lands on a sensitive system file.
  • The trick uses symbolic links, a normal operating system feature that points one filename at another location on disk.
  • The bug matters because these assistants run with the same access as the human developer, so a silent file swap can mean full machine takeover.

Here is the short version. If you use an AI helper to write code, and you open a project someone else made, that project can quietly reach past the safety prompts and change files it should never touch.

The research comes from cloud security firm Wiz, and was first reported by The Hacker News. The flaw hits six of the most popular AI coding assistants on the market: Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.

In plain terms, an AI coding assistant is a program that sits inside a developer's editor and writes or edits code on request. To keep things safe, these tools usually pop up a box asking, "Is it OK if I edit this file?" The developer clicks yes, and the change goes through.

The failure mode here is that the file the developer approves is not always the file that gets written.

The attack uses something called a symbolic link, or symlink. A symlink is a normal feature of Windows, macOS and Linux: it is a small pointer file that says "when someone opens me, actually open that other file over there." Handy for developers. Also handy for attackers.

A booby-trapped project can include a file called something innocent like notes.txt, which is secretly a pointer to a sensitive system file, say your shell configuration or an SSH key. The AI assistant asks, "Can I write to notes.txt?" You say yes. The write lands on the real target instead.

Once an attacker can write to those sensitive spots, they can plant commands that run the next time you open a terminal. In practice that means full control of the developer's laptop, and often the cloud accounts, code repositories and production systems that laptop can reach.

Wiz has been calling the class of bug GhostApproval, because the approval you gave was for a ghost, not the real thing.

Should ordinary people worry about this?

Not directly, but the knock-on effects matter. Most people do not run AI coding tools. Developers do, and those developers hold the keys to the apps, banks, hospitals and shops the rest of us use every day. A laptop takeover at a software company is how customer data ends up on a leak site months later.

If you are a developer or you manage a team of them, treat this as a now problem. Update all six tools to the latest versions. Do not open unknown repositories in an editor that has an AI agent running with file-write permissions. Assume that a permission prompt from your AI assistant is only as trustworthy as the project you have open.

The vendors have been shipping fixes. The catch, one thing the post-mortem will say, is that permission prompts in AI agents were designed to reassure the human, not to actually verify what the machine is about to do. That gap is the whole vulnerability.

Operational takeaway: if your AI coding agent can write files, it can write the wrong file. Treat every untrusted repo as hostile until the tool is patched.

© 2026 Threat Vectr