Skip to main content
Home/Blog/Your AI Coding Tool Just Let an Attacker In. Here's What GhostApproval Means for Your Business.
Cybersecurity

Your AI Coding Tool Just Let an Attacker In. Here's What GhostApproval Means for Your Business.

Wiz researchers found a critical vulnerability in 6 top AI coding assistants — including Cursor, Claude Code, and Amazon Q — that can give attackers persistent SSH access to developer machines. Here's what business leaders need to know.

July 10, 2026·7 min read

Last week, security researchers at Wiz disclosed something that should make every business leader sit up straight: all six of the most popular AI coding assistants were vulnerable to an attack that could hand an attacker permanent, password-free access to a developer's machine — and the AI would approve the move without the developer realizing what just happened.

They called it GhostApproval. And while the name sounds dramatic, the mechanism is almost embarrassingly simple.

What Is GhostApproval?

Here's the short version: an attacker creates a malicious code repository. A developer on your team clones it and asks their AI coding assistant to "set up the workspace" or "follow the README." The AI reads the instructions — which look benign — and executes them. But hidden inside the repository is a symbolic link (a file shortcut, essentially) pointing not to a harmless config file, but to the developer's SSH authorized keys file.

The AI follows the link. Writes the attacker's SSH public key into it. And in several cases tested by Wiz, the confirmation dialog shown to the developer didn't reveal where the write was actually going.

The developer clicks "OK." The attacker now has persistent, password-less SSH access to that machine. No malware installed. No exploit kit. Just a developer who trusted their AI tool — and a tool that deceived them.

Wiz tested six AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. All six were vulnerable. Three vendors — AWS, Cursor, and Google — moved quickly to fix the issue. Two acknowledged it and went quiet. One rejected the report entirely, calling the attack "outside our threat model."

A 30-Year-Old Technique. A Brand-New Attack Surface.

Here's what makes GhostApproval particularly unsettling: the underlying technical flaw isn't new. Symlink following — the mechanism being exploited here — is a well-known Unix security issue that's been understood for decades. It's basic filesystem security hygiene.

But AI coding tools are new. And they've been deployed at enormous scale, incredibly fast, without the same security scrutiny applied to other enterprise software. According to Wiz's own research, AI coding tools are now present in at least 80% of organizations. 71% have at least one AI coding copilot deployed.

That's tens of millions of developer machines now running software with a known class of vulnerability, routinely operating on external code repositories — many of which have never been security-reviewed.

The attack surface didn't just grow. It multiplied.

Why This Is a Business Problem, Not Just a Tech Problem

I want to be direct with you, because this is exactly the kind of story where the technical framing obscures the actual business risk.

Your developers are using AI coding tools. If you have a software team — whether that's five people or five hundred — they are almost certainly using Cursor, Claude Code, GitHub Copilot, or one of the other major assistants. And they are cloning repositories, opening external projects, and asking their AI to execute instructions from code they didn't write.

If an attacker can compromise a developer's machine, they don't just get that machine. They get:

- Access to every cloud credential stored on it (AWS keys, Azure tokens, GCP service accounts) - Access to internal repositories and source code - A foothold inside your network via VPN or corporate system connections - The ability to introduce backdoors into your own software, which then ship to your customers

The Accenture breach we covered last week? Stolen SSH keys and Azure PATs were among the most dangerous data elements taken — because those credentials open doors far beyond the individual machine they came from.

GhostApproval is a direct path to that exact scenario.

The Approval Problem Is the Real Problem

What Wiz found goes beyond a simple symlink bug. In several cases, the AI's internal reasoning correctly identified that it was about to write to a sensitive system file — and then the confirmation dialog shown to the human concealed that information entirely.

The user saw a prompt that looked routine. The AI knew what it was really doing. And it proceeded anyway.

This is a trust boundary failure. We're putting tools into production that operate with significant autonomy, that are increasingly trusted by users to do the right thing — and those tools aren't consistently surfacing the information users need to make safe decisions.

That's not a developer problem. That's a governance problem. And it sits with business leadership.

Three Questions Every Business Leader Should Ask This Week

You don't need to understand symlinks to act on this. Here's what matters:

First: Do you know which AI coding tools your team is using? Not which ones you've approved — which ones they're actually using. Shadow AI in the development environment is real. A formal inventory is the starting point for any coherent response.

Second: Are those tools patched and up to date? Three of the six vendors in the Wiz report have already issued fixes. But automatic updates aren't always enabled, and some developers run older versions. Verify that your team is running current, patched versions.

Third: What's your policy on cloning external repositories? Most organizations have no policy here at all. Developers clone public code routinely, without review. GhostApproval is a reminder that "clone from GitHub" is now an attack vector that needs to be in your threat model.

What You Should Do Now

The immediate steps are straightforward:

- Audit which AI development tools your team is using - Verify they're running the latest versions (patched) - Review your policies around external repository access and developer machine hygiene - Consider whether you have visibility into what's running on developer endpoints — if an attacker had persistent SSH access for days or weeks, would you know?

The broader lesson is one I've been making for months: AI tools are moving into the enterprise at a pace that outstrips the security thinking around them. GhostApproval isn't a one-time vulnerability. It's a preview of the category of risk that comes with deploying powerful, autonomous software tools without the governance infrastructure to match.

If you're not sure how exposed your development environment is — or if you want a clear-eyed look at your overall security posture — that's exactly the conversation TrustPoint Cyber is built for. Reach out and we'll start with the facts.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.