Malicious repos can trick AI coding assistants into planting SSH backdoors

Researchers at Wiz have found that six of the most popular AI coding assistants can be tricked by a booby-trapped code repository into writing files far outside your project folder, in some cases planting an attacker's SSH key and handing over remote access to the developer's machine.

Wiz researcher Maor Dokhanian dubbed the pattern GhostApproval. It affects Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity and Windsurf. The underlying trick is decades old: a symbolic link, a file that silently points somewhere else on disk (the classic CWE-61 weakness). What is new is that AI agents, which read and write files on their own, fall for it just as older tools did.

How the attack works

An attacker publishes a repository in which an innocent-looking file, say project_settings.json, is actually a symlink to a sensitive path such as the victim's ~/.ssh/authorized_keys. The repo's README tells the assistant to "set up the workspace" by writing some text into that file. When the victim clones the repo and asks their AI assistant to follow the instructions, the agent writes the attacker's SSH public key straight into the real authorized_keys file, granting passwordless login. In some tools the write lands before the user is even shown a confirmation dialog.

When the safety net lies

The deeper problem is that the human-in-the-loop approval prompt, the dialog meant to keep you in control, can hide what is really about to happen. Wiz says that in Anthropic's Claude Code the agent's internal reasoning explicitly recognized the file was a symlink to a configuration file, yet the prompt shown to the user simply asked, "Make this edit to project_settings.json?" The agent knew; the user did not. Wiz classifies that as CWE-451, a user-interface misrepresentation that turns a meaningful approval into a rubber stamp.

Who fixed it

Wiz reported the findings to all six vendors. Three shipped fixes: AWS (tracked as CVE-2026-12958, remediated in Amazon Q language server version 1.69.0), Cursor (CVE-2026-50549, fixed in version 3.0) and Google. Anthropic declined to treat it as a vulnerability, arguing it falls outside Claude Code's threat model because the user must first trust the directory and then approve the prompt. Two other vendors acknowledged the report but went quiet. The same symlink primitive has burned other software for years, from package managers to container escapes.

What you should do

Update to the patched releases where they exist, and be wary of pointing an AI coding agent at a repository you do not trust. Treat "trust this folder" and edit-approval prompts as genuine security decisions rather than reflexive clicks, and consider running coding agents inside a sandbox or container that cannot reach your home directory or SSH keys. It is the same class of risk we covered when attackers hid instructions in websites to hijack AI agents: the agent does exactly what the attacker's content tells it to.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions