Six AI Coding Agents Will Write an Attacker's SSH Key to Your Server — the Approval Box Showed the Wrong File. GhostApproval Makes 'the AI Agent Is the New Login Shell' Literal.
- Patrick Duggan
- 3 minutes ago
- 5 min read
Wiz published GhostApproval on July 8, and it is the cleanest proof yet of a thing we started writing in April: the AI coding agent is now the login shell, and the security industry is still protecting the old one. The finding is not a bug in one tool — Wiz is explicit that it is a category-level design gap across six of the most popular AI coding assistants — and the mechanism is so old it is almost insulting. It abuses the symbolic link, a Unix feature older than most of the developers using these tools. The result: a repository you cloned to "let the AI take a look" can write an attacker's SSH key into your ~/.ssh/authorized_keys and hand them a login to your machine, while the approval dialog you clicked told you that you were editing a harmless config file.
How the trick works, and why it is worse than a normal bug
Here is the whole attack, and its elegance is the point. An attacker publishes a repo. Inside it is a file named something innocuous — project_settings.json — except it is not a file, it is a symlink that quietly points somewhere else on disk: your ~/.ssh/authorized_keys. The repo's README, which the agent reads and trusts as instructions, says "add this line to project_settings.json." The line is the attacker's own SSH public key dressed up to look like a setting. The agent goes to write "a config value" to "a local file," the symlink redirects the write to your SSH login file, and now the attacker can log into your box as you. Same move works on your shell startup file, your cloud credentials, anything the process can reach.
The reason this is worse than a garden-variety vulnerability is the second half of the name: GhostApproval. These tools show you an approval box before they write — that is the entire safety model, the human in the loop. But the box named only the innocent file. The write went somewhere else. The approval you gave was a ghost of the action that actually happened. A safety control that shows you the wrong thing is worse than no control, because it manufactures confidence at the exact moment you should be suspicious.
The honest, flat part — because our beat is calling this straight
The six affected tools, per Wiz, are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. We are not going to spin this by whose logo is on it, and we use Claude ourselves — so here is the flat version. Three vendors (Amazon, Cursor, Google) rated it critical or high and shipped fixes with CVEs. Two have not. And Anthropic disputes that it is a bug at all.
The most interesting detail cuts against the easy narrative: Wiz reports that Claude Code's own reasoning had already identified the real target — its internal notes flagged that project_settings.json was actually pointing at a shell configuration file — and yet the approval box surfaced to the human named only the harmless file. Read that carefully, because it is the whole lesson: the model was smart enough to catch the deception, and the user experience threw the catch away. That is not a stupid-AI story. It is a trust-boundary story — the intelligence and the interface disagreed, and the interface is what the human acted on. Whether you call that "a bug" or "working as designed," as Anthropic's position implies, is a real disagreement worth having in the open. Our read: if the model knows the target is dangerous and the human is shown a safe name, the safe name is a lie the tool told on the model's behalf, and that gap is the vulnerability regardless of which side of the API it lives on.
This is the thesis we have been writing for three months
We said it plainly on April 30 in "The AI Agent Is the New Login Shell: Six Holes in Seven Days," and again in June, and again on July 1 when Adversa AI showed that ten of eleven AI coding agents could be fooled by shell tricks older than their users. The through-line every time: an AI coding agent is a privileged process that acts on instructions it reads from untrusted input — a repo, a README, a dependency, a webpage. That is the exact definition of a login shell an attacker can talk to. GhostApproval is that thesis with an SSH key on the end of it. And it rhymes with the other half of the problem we covered this week — poisoned dependencies (ChocoPoC) and, at the far end, JADEPUFFER, where the AI is not the victim of the attack but the one running it. The AI agent is now both the attack surface and the attacker. GhostApproval is the surface half, made concrete.
What to actually do — and where we can help
Treat every AI coding agent as a privileged, internet-facing process, because that is what it is. Concretely: run agents that touch untrusted repos in a sandbox or container with no access to `~/.ssh`, cloud credentials, or shell rc files — the write should have nowhere dangerous to land even if the symlink redirects it. Turn off blanket auto-approve; the human-in-the-loop only works if the loop is real, and GhostApproval shows the loop can be spoofed, so assume approvals are untrustworthy and constrain the blast radius instead. Patch the tools that shipped fixes (Amazon Q, Cursor, Google Antigravity). And treat any repo you did not write as hostile input to the agent, the same way you treat an email attachment.
On the dependency half of this — the poisoned-package vector that lives right next to the symlink one — that is where we ship something you can use today. Our free MCP tool, check-package, lets your AI agent refuse a malicious dependency before it installs: one call, no key. It will not stop a symlink write, but it closes the sibling door, and it is the pattern we think the whole category needs — guardrails that assume the agent will be handed hostile input and check it, rather than trusting the approval box. That is the posture GhostApproval proves you need.
The honest note
We did not find GhostApproval — this is Wiz's research, disclosed July 8, and we credit it fully, along with the reporting from The Hacker News, The Register, and others. There are no IOCs to add to a feed here; it is a technique and a design gap, not a campaign. What we bring is the placement: this is the fourth time in three months we have documented the AI coding agent as the new privileged attack surface, and GhostApproval is the sharpest instance yet because it defeats the one control everyone points to — the approval prompt. We hold this at 95 percent, and the five percent is that the vendor-by-vendor fix status will keep moving and reasonable people (Anthropic among them) disagree on the "bug" label. The durable part is not the label. It is that an AI agent will do what a README tells it, to a file that is not the file you were shown — and until sandboxing is the default, that is a login shell with the door open.
Sources: Wiz research on GhostApproval (July 8, 2026); reporting via The Hacker News, The Register, Infosecurity Magazine, and TechTimes; DugganUSA prior coverage — "The AI Agent Is the New Login Shell" (2026-04-30), "Ten of Eleven AI Coding Agents Can Be Fooled by Bash Tricks" (2026-07-01), the ChocoPoC and JADEPUFFER coverage (2026-07-13/14) — and our free check-package MCP tool, queried directly.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
