TheVortiq
Inteligencia Artificial

AI Agents Vulnerable to Unix Symlink Trick

Six popular coding assistants, including Amazon Q and Cursor, fall to a symlink attack that enables key theft and remote system control.

July 9, 2026 · 4 min read

Side view of unrecognizable hacker in hoodie sitting at white table and working remotely on netbook in light room near wall

TL;DR: The GhostApproval vulnerability allows an attacker to use a symlink in a malicious repository to trick an AI agent into overwriting critical system files, granting remote SSH access. It affects six popular assistants and demonstrates that AI agent security still has basic flaws.

What Happened?

Researchers at Wiz have identified a vulnerability, dubbed GhostApproval, affecting six AI coding assistants: Amazon Q Developer, Cursor, Codeium, JetBrains AI Assistant, Sourcegraph Cody, and Tabby. The attack exploits these agents' trust in their own generated code and repository instructions, using Unix symbolic links (symlinks) to redirect file writes to sensitive locations.

The trick is simple: a malicious repository contains a symlink pointing to a system file, such as ~/.ssh/authorized_keys. When the AI agent writes code to the repository, it follows the symlink and overwrites the remote file, adding the attacker's public key. This enables passwordless SSH access to the developer's machine.

According to Wiz, the attack does not require the agent to execute arbitrary commands; it suffices for the coding assistant to generate and write code to the working directory. Symlinks are a Unix feature dating back to the 1970s, and their abuse is a classic attack vector in operating systems. However, modern AI agents were not prepared for this type of manipulation, even though other programs, like text editors, often implement checks against symlinks.

Why Is This Important?

This vulnerability demonstrates that AI agents, despite their sophisticated protections, are susceptible to classic operating system attacks. Coding assistants are designed to autonomously execute code and modify files, but they do not adequately verify symlink targets. The attack does not require exploiting a complex AI vulnerability; a decades-old Unix trick suffices.

According to Wiz, all tested assistants approved the malicious repository without question, even those that promise to review code before execution. This indicates that current security mechanisms are insufficient to detect this type of manipulation. Wiz's report notes that although some assistants have 'code review' modes, the attack occurs in the normal autocomplete or code generation workflow, where the agent writes files without user intervention.

The historical context is relevant: symlinks have been used in privilege escalation and denial-of-service attacks for decades. For example, in 2015, a similar vulnerability was discovered in the Homebrew package manager, where a symlink could redirect installation to system locations. The difference now is that AI agents operate with elevated permissions and often run in the user's context, amplifying potential damage.

Potential Consequences

If a developer uses an AI agent to work on a public or third-party repository without carefully reviewing changes, an attacker could gain full control over their machine. Consequences include credential theft, access to private repositories, and potentially a pivot into the corporate network. Since these agents integrate into popular development environments like VS Code, JetBrains IDEs, and terminals, the impact could be widespread.

Amazon, Cursor, and other companies have been notified. Amazon issued a patch for Amazon Q Developer on February 17, 2025, according to Wiz. However, not all vendors have responded immediately; some companies are still assessing the impact. Meanwhile, users should remain vigilant and avoid automatically accepting changes from unverified repositories.

The market for AI coding assistants is booming: it is estimated that by 2025, more than 50% of developers use some form of such tool, according to GitHub data. GhostApproval could slow adoption if these flaws are not corrected, as trust in security is key for integration into critical workflows.

What Should Readers Know?

  • Don't trust blindly: Always review changes proposed by the AI agent, especially if working on a shared or public repository.
  • Update your tools: Apply security patches released by vendors (e.g., Amazon Q is already fixed).
  • Use isolated environments: Run AI agents in containers or virtual machines to limit potential damage.
  • Be wary of external repositories: Do not automatically accept code from untrusted sources, even if the agent recommends it.
“It's a reminder that security depends not only on AI but also on the underlying operating system,” Wiz's report notes.

The GhostApproval vulnerability underscores the need for AI agent developers to implement more rigorous checks on file operations, such as following symlinks and validating destinations. Until then, the responsibility falls on the end user. Compared to previous incidents, like the prompt injection attack on GitHub Copilot in 2023, GhostApproval is simpler to execute but equally dangerous, as it does not require complex social engineering. The industry must learn from this case to prevent the same mistakes from recurring in future tools.

Keep reading