Logo
FrontierNews.ai

Google Antigravity Fixed GhostApproval Attack, But Two Major Tools Still Vulnerable

Google's Antigravity IDE was vulnerable to a sophisticated attack called GhostApproval that could let malicious code repositories secretly compromise a developer's computer, but the company has already released a fix. Security researchers at Wiz discovered that the flaw affected six popular AI coding assistants, including Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.

How Does the GhostApproval Attack Work?

The attack exploits a decades-old Unix feature called a symbolic link, or symlink, which acts like a hidden pointer to another file on your computer. When an AI coding agent writes to what it thinks is a harmless file, the symlink secretly redirects that write to a sensitive target instead. Wiz researchers demonstrated the attack by creating a malicious repository with a symlink named "project_settings.json" that actually pointed to a developer's SSH login file at ~/.ssh/authorized_keys.

The real danger lies not in the symlink itself, but in how the approval system fails. When the AI agent asks for permission to edit a file, it shows the developer the wrong filename. The developer sees "project_settings.json" and clicks Accept, believing they are editing a local configuration file. In reality, the write lands on the SSH keys file or shell startup file, giving an attacker a backdoor into the system.

Some tools were even worse. Windsurf wrote files to disk before showing the approval dialog, meaning the malicious code was already in place by the time the developer saw the prompt. Augment showed no dialog at all and silently read AWS credential files outside the project folder.

Which Tools Are Patched and Which Remain at Risk?

Wiz reported the issue to all six vendors in July 2026. Here is where each tool stands as of the report's publication:

  • Amazon Q Developer: Fixed in Language Server 1.69.0 with CVE-2026-12958; update installs automatically for most users
  • Cursor: Fixed in version 3.0 with CVE-2026-50549; update available through the extension manager
  • Google Antigravity: Fixed with a CVE pending; developers should update to the current version
  • Augment: Acknowledged the flaw but has not yet released a fix; users should avoid pointing it at untrusted repositories
  • Windsurf: Acknowledged the flaw but has not yet released a fix; users should avoid pointing it at untrusted repositories
  • Anthropic Claude Code: Disputed the classification as a bug; current versions include a symlink warning and users should read it before accepting edits

Anthropic took a different stance than the other vendors. The company told Wiz that the scenario sits "outside our threat model" because the developer chose to trust the folder when starting the session and then approved the edit. Anthropic also noted that Claude Code shipped a symlink warning in early February 2026, before Wiz's private report, as routine hardening rather than a fix in response to the vulnerability.

How to Protect Your System From Symlink Attacks?

Beyond updating to patched versions, security experts recommend several practical steps to reduce risk when working with AI coding agents:

  • Run with Limited Access: Execute the AI agent with restricted file access, or inside a sandbox or container that isolates it from sensitive system files and prevents writes outside the project directory
  • Review Repositories Before Setup: Manually examine the project's README file and any hidden configuration files to spot suspicious instructions before letting an AI agent "set up" a repository
  • Check File Timestamps After Work: After working in an unfamiliar repository, use commands like "ls -la ~/.zshrc ~/.ssh/authorized_keys" to check whether timestamps changed on sensitive files that sit outside the project folder and will not show up in git status

The files that attackers typically target are your shell startup file, your SSH keys, and your AI tool's own configuration. These sit outside the project folder and are invisible to standard git commands, making them easy targets for symlink attacks.

Why Is This a Broader Problem for AI Coding Agents?

The GhostApproval pattern reveals a fundamental design weakness shared across multiple AI coding tools. These agents follow a symlink using ordinary file operations, then ask for approval based on the path they were handed, not the path the write actually lands on. This is not a one-vendor mistake but a systemic issue in how AI agents interact with the file system.

In May 2026, a separate team at Adversa AI published research on SymJack, which described the same symlink-and-approval pattern affecting six coding agents, including Claude Code, Cursor, GitHub Copilot, and Grok Build. Two independent research teams finding the same vulnerability points to a shared architectural problem rather than isolated oversights.

The broader context makes this even more urgent. Repositories carrying files that steer AI agents into unsafe behavior are already showing up in the wild. In June 2026, the Miasma worm planted AI-agent configuration files in a Microsoft Azure repository so its payload ran the moment a developer opened the project in Claude Code, Cursor, or Gemini. GitHub disabled 73 affected Microsoft repositories in response.

What Do Security Experts Recommend for Tool Makers?

Wiz's advice to developers of AI coding tools is straightforward: resolve the symlink and show the real destination before asking for approval, flag any write that lands outside the project folder, and never touch the disk until the user has actually approved the action. These steps would close the gap between what the approval dialog shows and what actually happens on disk.

The fundamental issue is that "human in the loop" only protects developers if the loop tells the truth. As AI coding assistants gain more freedom to read and write files on their own, an approval box that names the wrong destination becomes a liability rather than a safeguard. Treating a deceptive repository as purely the user's problem puts the weight on the person least able to see the swap happening.