
The agent knew. That is the part that stayed with me.
In one of Wiz’s demonstrations, an AI coding assistant reads a file, reasons out loud that it is a symlink pointing at a sensitive system path, and then writes to it anyway. The approval box the developer sees names only a harmless file. The human is still in the loop. The loop is showing them the wrong thing.
It was one of two disclosures that landed the same day. Together they expose a trust boundary that patches can narrow but not close.
Two attacks, one week
On July 8, Wiz
published GhostApproval. A malicious repository plants a file with an ordinary name, say project_settings.json, that is actually a symlink to ~/.ssh/authorized_keys or a shell startup file.
You ask the agent to set up the workspace. It writes through the symlink to the real target, planting an attacker’s SSH key for persistent access. Where a prompt appears at all, it shows the benign name, not the real destination.
Six tools were affected: Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
The same day, the AI Now Institute published Friendly Fire. Here the target is the agent’s own autonomous mode โ the opt-in setting in tools like Claude Code and Codex that lets it approve and run commands it judges safe.
A repo hides a binary disguised as the compiled build of a harmless Go file, plus a README that frames running a security.sh script as a routine pre-review check. The agent reads the README, decides the script is part of the job, and runs it. The attacker’s binary executes on the host, with no approval box.

One attack weaponizes the agent’s file access. The other weaponizes its reasoning. Both show the same failure: untrusted content in a repo crossing into actions taken with the developer’s own permissions.
Why a patch won’t close it
GhostApproval has CVEs and fixes. Amazon Q (CVE-2026-12958 ), Cursor (CVE-2026-50549 ), and current Claude Code builds resolve symlinks now; Google Antigravity was reported fixed as well. Augment and Windsurf were still open when Wiz published.
Friendly Fire is the one that should change how you buy. Its authors, Boyan Milanov and Heidy Khlaaf, state plainly that a model update cannot fix it, because the models still cannot reliably separate the code they are reading from the instructions they are meant to follow.
That is not a bug with a ticket. It is how these agents work today, and any tool whose safety story is that the model will notice inherits it.
I spent years selling AppSec tools before I started writing about them. The pattern holds: when a capability ships faster than its safety story, the gap quietly becomes the buyer’s problem.
“Outside our threat model”
In the GhostApproval disclosure, Anthropic declined to call Claude Code’s behavior a vulnerability : a trusted directory plus a human-approved edit is the user’s decision. To be fair, they had shipped a symlink warning back in February, and current versions resolve the path before writing.
The stance is defensible โ an agent you point at a folder and grant write access acts on your authority. But wherever a vendor draws that line, the residual risk lands on you, the operator.
That can be the right split, if you chose it on purpose. The real question: did your vendor tell you, in writing, where their line is?
The AI coding agent security questions I would ask this week
If you run coding agents, or you are evaluating one, these get real signal without a lab. They are the coding-agent version of the vendor questions I wrote for AI agents earlier this year:
- Where is your threat-model boundary for untrusted repo content, and what is the operator’s job versus yours?
- Does the approval prompt show a write’s real, resolved destination, and are writes outside the workspace denied by default?
- In autonomous modes, what stops repo text from running as instructions, and how do you test it?
- When you decline to call something a vulnerability, do you document it where a buyer sees it before signing?
A vendor with a clear threat model answers these directly. Vagueness on the last two is louder than any single CVE.
An AI coding agent is a scanner you have handed a shell. Before you widen its permissions, ask where the vendor’s line is โ then decide whether you are comfortable standing on the other side of it.
Do you run coding agents in your pipeline, and how did you decide what they are allowed to touch? Reply and tell me. I will feature the sharpest setups, anonymized if you want.
See you next Tuesday.
Sources
- Wiz โ GhostApproval: a trust boundary gap in AI coding assistants (July 8, 2026)
- AI Now Institute โ Friendly Fire exploit brief (Milanov & Khlaaf, July 8, 2026)
- The Hacker News โ GhostApproval symlink flaws and Friendly Fire
- The Register โ Bug in top AI coding agents shows Unix-era security headaches never really die
AppSec Santa Weekly โ vendor-side mechanics, explained for the people signing the contracts. Browse all tools or subscribe for weekly updates.