Fetching from the wire…
Public story · 2026-07-11 · high
A symlink trick hides where agents actually write, so approving a safe-looking path can trigger code execution instead.
Why now: The July 11 advisory is unusual for naming six mainstream agents under one flaw instead of a single vendor's disclosure.
A symlink-following flaw, tracked as CWE-61, lets malicious repos push coding agents to write files outside their sandbox, per cybersecuritynews.com. The risk lands on anyone who clones an unfamiliar repo into an agent workspace and reviews it with the agent's help. That's a common workflow, not an edge case.
Six agents are named in the advisory: Amazon Q, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The trick works because the approval prompt shows a path that looks safe. The agent then follows a symlink planted in the repo and writes somewhere else, so you approve a lie.
Symlink attacks are a known category, older than agent sandboxes themselves. Six separate teams built approval flows that don't resolve the link before showing the destination.
The advisory doesn't say whether fixes have shipped for each of the six agents. It also doesn't say if this has been exploited outside research testing. Until vendors confirm otherwise, the approval screen on these six tools doesn't verify what it claims to.
Each link below shares sources, entities, or timing with this story.
Cursor uses MCP / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Cursor uses MCP); both cover Amazon, Claude Code, Cursor, Windsurf; overlapping topics (agent, amazon, attack, claude, code).
Linked by a graph relationship (Cursor uses MCP); both cover Claude Code, Cursor, Windsurf; overlapping topics (amazon, attack, claude, code, cursor).
Linked by a graph relationship (Cursor uses MCP); both cover Claude Code, Cursor, Windsurf; overlapping topics (claude, code, coding, cursor).