Signal

A symlink trick fooled Claude Code, Cursor and four other AI coding agents into approving edits they didn't disclose

Security researchers at Wiz found that Claude Code, Cursor, Windsurf, Google Antigravity, Amazon Q and Augment can all be tricked into writing to sensitive files like SSH keys while showing the user an approval prompt that names a harmless-looking symlink instead of the real target — and patch response has varied sharply by vendor.