At a glance.
- GhostApproval flaw exploits trust in major AI coding assistants.
- Interpol operation cracks down on social engineering scams.
- Chinese APT exploits Roundcube flaws to target US and Canadian universities.
GhostApproval flaw exploits trust in major AI coding assistants.
Wiz discovered a vulnerability pattern affecting six top AI coding assistants, in which a malicious repository can trick an AI agent into accessing arbitrary files on a developer's machine and potentially achieving remote code execution. The flaw, dubbed "GhostApproval," affects Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
Wiz explains, "The technical primitive -- symlink following (CWE-61) – is well-known. What we found, however, goes further: in several cases, the agent's internal reasoning explicitly recognizes the dangerous target, yet the confirmation prompt shown to the user conceals this information entirely. This is CWE-451 – UI misrepresentation of critical information – layered on top of the symlink vulnerability. The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace."
Wiz notified all six vendors: Amazon, Cursor, and Google fixed the issue promptly, while Anthropic determined that it has sufficient measures in place to ensure that a human must confirm the file operation. Augment and Cognition (Windsurf) acknowledged receipt of the report but did not provide any further updates.

