Your AI Coding Assistant's 'Approve' Button Might Lie

Security researchers at Wiz spent the past several months testing six of the most widely used AI coding assistants, the tools that write and edit code alongside you, then ask for your approval before saving anything. In every single one, they found a way to make that approval screen show something other than what was about to happen.

The flaw is called GhostApproval, and it does not require the AI itself to do anything malicious. It uses a decades-old Unix trick called a symbolic link to make one file secretly stand in for another. A coding assistant asked to edit what looks like a normal project file can end up writing to something far more sensitive instead, while the approval prompt on your screen still shows the name of the harmless file.

If that sounds like a developer problem, it mostly has been, until now. But the tools involved here are not niche, and a growing number of non-developers use them too, for internal scripts, spreadsheet automations, and small custom tools built from a plain-language prompt rather than years of coding training. That is exactly the audience least equipped to notice when an approval screen is showing them the wrong thing.

How the trick actually works

A symlink is an old, ordinary file system feature. It lets one file path quietly point to a completely different location on disk, so writing to what looks like file A actually writes to file B. In a GhostApproval attack, someone builds a small code repository with a file named something harmless, like project_settings.json, that is secretly a symlink pointing to a sensitive file elsewhere on your computer, such as your SSH login credentials.

The repository's instructions tell the AI assistant to "set up the workspace" or "add a line to the config file." The assistant follows the link and writes to the real target instead of the file it appears to be editing. In several of the tools Wiz tested, the approval prompt shown to the user never updated to reflect that, so a person clicking "approve" believed they were making a small local edit while the assistant quietly modified something else entirely.

Why this matters even if you never touch code

This is not really a story about AI turning against anyone. It is an old filesystem trick wearing a new interface. What has changed is who is exposed to it. According to a CodeSignal survey cited by DevOps.com, the large majority of developers now use AI coding assistants regularly, and that same convenience has pulled in a growing number of small business owners and staff who are not developers at all, using these tools to automate a spreadsheet task or stitch together a small internal tool.

An approval prompt only protects you if it tells you the truth about what it is approving. For a stretch of time, across most of the tools Wiz tested, it didn't. The person clicking approve had no way of knowing that.

Where the six affected tools stand right now

Wiz reported the flaw to Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google treated it as a real vulnerability and shipped fixes. Augment and Windsurf acknowledged the report but had not shipped a fix at the time Wiz published its findings.

Claude Code was the case where the disagreement played out publicly. Anthropic initially described the behavior as outside its threat model, arguing that a user who trusts a folder and approves an edit has made that decision themselves. Wiz's testing showed the tool's own internal reasoning had already identified the true target file correctly, moments before showing the user a prompt that didn't reflect that. Anthropic later confirmed it had added a symlink warning to Claude Code in a February 2026 update, ahead of receiving the report, as part of routine internal security hardening.

What protects your business

Treat any downloaded template, starter project, or code repository the way you would treat an email attachment from someone you don't fully trust, since the source of the file is exactly where this attack begins. If anyone on your team uses an AI coding assistant for real business tasks, make sure it stays on its current version, since three of the six affected vendors have already shipped fixes for this specific issue.

An approval prompt is not the same thing as a security review. If a tool is making changes to your systems on your behalf, that deserves a conversation with whoever manages your IT strategy before it becomes routine, not after something goes wrong.


Frequently Asked Questions (FAQs)

Q: Do I need to stop using AI coding assistants because of this?

A: No, but the version matters. Amazon Q Developer, Cursor, and Google Antigravity have already shipped fixes, and Anthropic's Claude Code added protections before this research was even published. If your team uses one of these tools, updating to the current version closes the specific hole researchers found.

Q: I don't write code. Why would this affect me?

A: A growing number of small business employees use these same AI tools to build spreadsheets, automate repetitive tasks, or set up small internal scripts, without any formal coding background. The risk here has nothing to do with coding skill. It comes from trusting a downloaded file or template that was not fully vetted, then asking an AI assistant to act on it.

Q: What is a symlink, in plain terms?

A: A symlink is a file that looks like one thing but secretly points to another location on your computer. It's an old feature that has caused security problems for decades, long before AI tools existed. GhostApproval simply applies that old trick to a new kind of software.

Q: How would I know if this already happened to me?

A: Look for anything you did not add yourself in your SSH authorized_keys file or your shell startup file, such as .zshrc. If you are not comfortable checking that yourself, this is exactly the kind of question a support engagement can answer quickly.

Q: Is this something my IT provider should already be tracking?

A: Yes. Any business with staff using AI coding tools for real work should have someone keeping an eye on vendor security disclosures like this one, the same way they would track patches for Windows or Microsoft 365. It's a newer category of tool, but the same discipline applies.


About the author. Justin White is the founder of TechGents, an owner-operated IT consulting firm in Springfield, IL. He has nearly two decades of experience across Apple, Windows, and mixed-platform environments, helping small businesses and professionals across Sangamon County and Central Illinois run their technology without an internal IT department.


The lesson here is not to avoid AI coding tools. It is to stop treating every approval prompt as proof that a change is safe, especially when the file came from somewhere you didn't fully vet.

If your business is adopting AI tools faster than your IT strategy can keep up with, that's exactly the gap a vCIO engagement is built to close.

Questions about what your team is already running? Get in touch and we'll take a look.

Next
Next

The Microsoft 365 Phishing Scam That Skips the Fake Page