AI Coding Assistants Fooled by Decades-Old File Trick to Attack Developer Machines

A technique as old as Unix itself let researchers plant hidden traps inside innocent-looking code projects, then watch AI tools quietly rewrite the wrong files while developers clicked 'approve'.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Wiz, the Google-owned cloud security firm, published research on Wednesday showing that six widely used AI coding assistants can be manipulated using a file-system trick that has existed since the early days of Unix.
  • The attack, named GhostApproval, was confirmed to work against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf.
  • AWS, Google, and Cursor have released fixes; Anthropic says it added protections before Wiz reported the flaw; Augment and Windsurf have acknowledged the reports but not yet patched.
  • Researchers warn the attack can give criminals the ability to run any code they choose on a targeted developer's computer.

Researchers at Wiz have shown that some of the most popular AI coding tools can be tricked into editing files they were never supposed to touch, using a file-system feature so old it predates the modern internet.

The trick is called a symbolic link, or symlink for short. Think of it like a shortcut icon on a desktop: the icon looks like a file or folder, but clicking it actually opens something stored elsewhere. Attackers have known how to abuse symlinks for decades. Wiz's new finding is that today's AI coding assistants fall for the same trap.

How does a developer end up getting hacked?

A criminal publishes what looks like a normal software project and hides a fake shortcut inside it. The shortcut appears to be an ordinary project file, but it secretly points to a sensitive location on the developer's computer, such as a system configuration file. When the developer opens the project in an AI coding assistant and asks the tool to make edits, the AI follows the hidden shortcut and rewrites the real target instead.

Most of these tools include a safety step: a confirmation box that asks the user to approve any file change before it happens. That sounds reassuring. The problem is that several of the tools showed the user the innocent-looking fake path in the dialogue box, not the actual file being changed. So the developer clicked approve, believing they were authorising a minor edit to a project file, while the AI quietly overwrote something far more sensitive.

"The confirmation dialog transforms from a security control into a formality," Wiz wrote in its published research. The safety net only works, the firm noted, if it shows accurate information.

Successful exploitation could allow an attacker to run any commands they choose on the developer's machine, a condition security researchers call remote code execution.

Wiz reported its findings to all six vendors in the first quarter of 2026. AWS, Google, and Cursor confirmed the vulnerability and shipped patches. Anthropic, which makes Claude Code, said it does not classify the behaviour as a vulnerability but told Wiz it had added mitigations before the report arrived. Augment and Windsurf have acknowledged the reports; neither has released a fix as of publication.

What developers should do now. If you use any of the tools named above, check that your software is fully up to date. Be cautious about opening repositories from unfamiliar sources in AI coding tools. Before approving any file-write prompt, confirm the displayed path matches what you actually expect to be changed. If the path looks odd or leads outside your project folder, decline and investigate.

Threat Vectr will update this article when Augment and Windsurf confirm patches.

© 2026 Threat Vectr