Researchers at Wiz discovered critical security flaws in six popular AI coding assistants that could allow malicious code repositories to execute commands on developer machines. The vulnerabilities, identified as "GhostApproval Symlink Flaws," exploit a mechanism where the AI assistant requests permission to modify a seemingly innocuous file. However, the write operation is redirected to a sensitive system file, enabling unauthorized code execution. The affected AI coding assistants include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. These tools are designed to assist developers by suggesting code, automating tasks, and integrating with development workflows. The discovered flaw bypasses standard security checks by tricking the AI into performing a malicious write operation under the guise of a legitimate file edit. According to Wiz's analysis, the exploit involves a specially crafted repository that, when accessed by the AI coding agent, triggers the symlink vulnerability. This allows the malicious repository to gain control over the developer's environment, potentially leading to data theft, system compromise, or the deployment of further malware. The researchers have provided detailed technical explanations of the symlink attack vector and its implications for AI-assisted development tools. This discovery highlights a significant security risk in the rapidly evolving landscape of AI-powered developer tools. As AI assistants become more integrated into coding workflows, ensuring their security and preventing them from being exploited by malicious actors is paramount. The identified vulnerabilities underscore the need for rigorous security audits and robust protective measures for all AI tools that interact with developer systems and sensitive codebases.