// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
High
GhostApproval, AI coding assistants, symlink, RCE, Wiz, developer security, AI agents
A Poisoned Repo Can Turn Popular AI Coding Assistants Into a Backdoor
Researchers found that six widely used AI coding assistants can be tricked by a booby-trapped repository into running an attacker's code on the developer's machine, using a decades-old symlink trick against the tool's own permission prompt.
Wiz has disclosed GhostApproval, a set of symlink flaws affecting six popular AI coding assistants that let a booby-trapped code project quietly take control of a developer's computer, as reported by The Hacker News. The assistant asks the developer for permission to edit one harmless-looking file, and a symlink redirects that approved write somewhere far more dangerous.
The clever part is that it turns the safety feature into the attack. These assistants ask before touching files precisely so a human stays in control. GhostApproval abuses that trust: you approve an edit to a file you recognize, and the write lands on a script or config that runs code, using a symlink technique that predates AI tooling by decades, per SecurityWeek.
It is not an isolated finding. In a separate proof of concept, researchers at the AI Now Institute showed that AI agents asked to scan open-source code for vulnerabilities can be tricked into executing the very malware they were meant to inspect. The pattern is the same: an agent with real access reads attacker-controlled input and acts on it.
The lesson is not to abandon these tools but to stop treating their prompts as a substitute for isolation. Run untrusted repositories in sandboxes, keep agent file and execution permissions tightly scoped, and remember that an approval prompt only protects you if what you approve is what actually happens.
Sources: The Hacker News, SecurityWeek; AI Now Institute.