AI coding assistants GhostApproval symlink security flaw
Vulnerability
Summary
Hide ▲
Show ▼
A July 8 disclosure identified GhostApproval, a symlink flaw in six AI coding assistants that can redirect approved writes into ~/.ssh/authorized_keys or ~/.zshrc and enable unauthorized access on developer machines. The affected tools are Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Three vendors have shipped fixes, two still have not, and the dangerous part is that the approval prompt can name a harmless file while the write lands on a sensitive target.
Related Happenings
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
H score3
First: 08.07.2026 18:07
Last: 08.07.2026 18:07
Sources 1
About this happening:
Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical AnalysisAbout this happening: Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
**SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
AI coding assistant adoption becomes near-universal while governance lags in software development teams
Trend
H score16
First: 09.06.2026 18:00
Last: 09.06.2026 18:00
Sources 1
About this happening:
**AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...
AI coding assistant adoption becomes near-universal while governance lags in software development teams
TrendAbout this happening: **AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
JustAskJacky fake AI assistant malware campaign
Campaign
H score33
First: 04.06.2026 17:00
Last: 04.06.2026 17:00
Sources 1
About this happening:
The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
JustAskJacky fake AI assistant malware campaign
CampaignAbout this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
Timeline
-
09.07.2026 07:27 3 articles · 17h ago
Wiz discloses GhostApproval symlink flaw in six AI coding assistants
Initial DisclosureWiz disclosed GhostApproval, a symlink-based informed-consent bypass affecting Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. A booby-trapped repository can make an approval for project_settings.json land on ~/.ssh/authorized_keys or ~/.zshrc instead, enabling passwordless SSH or shell-startup code execution on a developer machine. Wiz said no real-world attacks were seen, and Anthropic disputed that the behavior is a bug while other vendors had shipped fixes or were still working on them.
Show sources
- GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents — thehackernews.com — 09.07.2026 07:27
- GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents — thehackernews.com — 09.07.2026 07:27
- GhostApproval Flaw Hits Six Major AI Coding Assistants — www.infosecurity-magazine.com — 09.07.2026 14:00