GhostApproval symlink flaw lets agents overwrite files
🛡️ Researchers at Wiz disclosed GhostApproval, a symlink-based flaw in six AI coding assistants that can trick an approval prompt into writing to sensitive files. The attack uses a repository with a symlink pointing to targets like ~/.ssh/authorized_keys or ~/.zshrc; the assistant asks to edit an innocuous file but writes to the real destination. Three tools have fixes, two are still unpatched, and Anthropic disputes the classification as a bug.
