Last updated: July 10, 2026 at 9:23 AM UTC
All 586 Vulnerability 210 Breach 110 Threat 259 Defense 7
Tag: human-in-the-loop (1 article)Clear

GhostApproval tricks AI coding agents into writing to SSH keys via symlinks

Researchers at Wiz disclosed GhostApproval, a technique that abuses symbolic links to make AI coding assistants write to sensitive files outside the project. A malicious repository includes a symlink named like an innocent file, such as project_settings.json, that actually points to the developer's SSH authorized_keys or shell startup file. When the developer asks the agent to set up the workspace, it follows the link and writes attacker content, such as an SSH key granting passwordless access. The deeper problem is that the approval prompt shows only the harmless filename, not the real target, so the human approves a change they cannot see. Wiz tested six assistants including Claude Code and Cursor.

Check
Confirm your AI coding assistants are updated to versions that resolve symlinks before showing approval prompts, and be cautious running set-up or README instructions from untrusted repositories.
Affected
Developers using AI coding assistants that follow symlinks without showing the real target; a malicious repository can trick the agent into writing SSH keys or shell config outside the project.
Fix
Update coding assistants to fixed versions, review any file write an agent proposes for symlinks and out-of-workspace paths, avoid untrusted repositories' setup instructions, and watch SSH keys and shell config.