Researchers at Wiz disclosed GhostApproval, a technique that abuses symbolic links to make AI coding assistants write to sensitive files outside the project. A malicious repository includes a symlink named like an innocent file, such as project_settings.json, that actually points to the developer's SSH authorized_keys or shell startup file. When the developer asks the agent to set up the workspace, it follows the link and writes attacker content, such as an SSH key granting passwordless access. The deeper problem is that the approval prompt shows only the harmless filename, not the real target, so the human approves a change they cannot see. Wiz tested six assistants including Claude Code and Cursor.