Find notable cyber news and cases, enriched with sources, timelines, and signals.

AI coding assistants GhostApproval symlink security flaw

Vulnerability
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

A July 8 disclosure identified GhostApproval, a symlink flaw in six AI coding assistants that can redirect approved writes into ~/.ssh/authorized_keys or ~/.zshrc and enable unauthorized access on developer machines. The affected tools are Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Three vendors have shipped fixes, two still have not, and the dangerous part is that the approval prompt can name a harmless file while the write lands on a sensitive target.

Related Happenings

HalluSquatting indirect prompt-injection attack on AI coding assistants

Technical Analysis
H score3 First: 08.07.2026 18:07 Last: 08.07.2026 18:07 Sources 1

About this happening: Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...

AI coding assistant adoption becomes near-universal while governance lags in software development teams

Trend
H score16 First: 09.06.2026 18:00 Last: 09.06.2026 18:00 Sources 1

About this happening: **AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

Timeline

  1. 09.07.2026 07:27 3 articles · 17h ago

    Wiz discloses GhostApproval symlink flaw in six AI coding assistants

    Initial Disclosure

    Wiz disclosed GhostApproval, a symlink-based informed-consent bypass affecting Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. A booby-trapped repository can make an approval for project_settings.json land on ~/.ssh/authorized_keys or ~/.zshrc instead, enabling passwordless SSH or shell-startup code execution on a developer machine. Wiz said no real-world attacks were seen, and Anthropic disputed that the behavior is a bug while other vendors had shipped fixes or were still working on them.

    Show sources