Updated
Updated · InfoWorld · Jul 9
Wiz Finds 6 AI Coding Assistants Exposed to GhostApproval Sandbox-Escape Flaw
Updated
Updated · InfoWorld · Jul 9

Wiz Finds 6 AI Coding Assistants Exposed to GhostApproval Sandbox-Escape Flaw

3 articles · Updated · InfoWorld · Jul 9

Summary

  • Six AI coding assistants can be tricked by a malicious repository into accessing files outside their workspace sandbox, potentially leading to remote code execution on a developer’s machine, Wiz said.
  • GhostApproval combines a long-known symlink attack with misleading approval prompts: the agent may recognize a dangerous target internally, but the user sees a harmless-looking edit request and approves it.
  • AWS, Cursor and Google fixed the issue after disclosure, Anthropic had already patched it, while Augment and Windsurf/Devin acknowledged Wiz’s report but then went silent.
  • Analysts said the flaw is concentrated in workflows involving untrusted repositories, forks and open-source dependencies, but it exposes a broader weakness in relying on human-in-the-loop approvals as a safety control.
  • Researchers and consultants described the pattern as a category-wide design problem across AI coding tools, urging enterprises to treat them as privileged software, isolate them, and not trust their own dialogs as governance.

Insights

As AI assistants become attack vectors, can they be used securely without being completely isolated from the system?
A worm hit 73 repos in 105 seconds. Is this the dawn of self-spreading AI-powered malware?
When a deceived AI agent causes a data breach, who is legally responsible: the user, the vendor, or the attacker?

GhostApproval: How a Category-Level Design Gap in AI Coding Assistants Enabled Remote Code Execution on Developer Machines

Overview

On July 8, 2026, cybersecurity researchers from Wiz publicly disclosed GhostApproval, a critical vulnerability that exposes a category-level design gap in many AI coding assistants. This flaw allows attackers to hide malicious symlinks in project files, which, when processed by AI tools during workspace setup, can grant unauthorized access to sensitive files like SSH keys on developer machines. The discovery highlights the urgent need for truly effective Human-in-the-Loop controls and underscores the broader challenge of making AI systems both powerful and trustworthy, as current safeguards often fail to protect users from these sophisticated attacks.

...