Daylila

Cybersecurity · Friday, 10 July 2026

01 · Briefing · what happened

The "are you sure?" that couldn't show you what you were saying yes to

Cybersecurity 5 min 49 sources

A flaw in six major AI coding tools let a booby-trapped project turn their safety prompt into a rubber stamp — plus Microsoft's messy Defender fix, and Interpol's 5,800-arrest scam bust.

Key takeaways

  • Researchers found a flaw in six major AI coding tools where the safety pop-up showed a harmless file name while the real write landed somewhere sensitive — so the approval couldn't protect you.
  • Microsoft patched a serious flaw in its own Windows Defender antivirus a month after it went public, and the fix itself risked filling up hard drives.
  • Interpol's 97-country operation made more than 5,800 arrests and seized $293 million from the scam networks that target ordinary people online.

The safety net that many AI coding tools rely on is a simple pop-up: before the tool writes to a file on your computer, it asks you to approve the change. Researchers at Wiz, a cloud-security firm, published a flaw on July 7 that quietly breaks that net across six of the biggest tools at once [23][12].

The approval that lied

The flaw is called GhostApproval, and it was found in Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf [23]. It works by abusing something called a symbolic link — a “symlink,” a decades-old feature where one file name secretly points at a different file somewhere else on the disk [12].

Here is the trick, in plain terms. An attacker hides a symlink inside an ordinary-looking software project — say, a file named project_settings.json — but that name actually points at something sensitive, like the developer’s private login keys [23]. When the developer opens the project and tells the AI assistant to “set up the workspace” or follow the instructions, the assistant follows the hidden pointer and writes to the real target [23]. In the worst case, that hands an attacker passwordless access to the machine [12].

The safety pop-up was supposed to catch exactly this. It didn’t — because it showed the wrong thing. In several of the tools, the approval dialog displayed only the harmless file name, not the sensitive place the write would actually land [23]. “The failure is not just that the symlink is followed,” Wiz researchers wrote. “It’s that the UI doesn’t reveal the true target” [12]. The developer approved an edit they could not, in fact, see.

Whose job is it to catch this?

The six vendors did not respond the same way, and the split is the interesting part.

Amazon, Google, and Cursor treated it as a bug and shipped fixes; Cursor issued a formal tracking number, CVE-2026-50549, for it [23]. Augment and Windsurf acknowledged the reports but, as of publication, had gone quiet without a fix — leaving their users exposed [23]. Anthropic disputed that its tool’s behaviour was a vulnerability at all, arguing that a developer who chooses to trust a folder and approves an edit owns that decision, and that the scenario falls “outside our threat model” [23].

That is a genuine disagreement, not just corporate spin: should a tool protect you from a workspace that was designed to deceive you, or is trusting the workspace your call? Wiz framed GhostApproval less as six separate bugs than as a question the whole industry hasn’t settled [23]. If you use any of these assistants, the practical step is small: update to the latest version, and be wary of opening code projects from sources you don’t trust.

A messy month for Microsoft’s own defender

Microsoft, meanwhile, spent the week cleaning up a flaw in the very software meant to keep Windows safe. It patched a Defender vulnerability nicknamed RoguePlanet (tracked as CVE-2026-50656) — a bug in the engine that scans your PC for malware [9]. A researcher using the pseudonym NightmareEclipse had disclosed it in June, along with working exploit code; it let a remote attacker gain full administrative control of Windows 10 and 11 machines, even when real-time protection was switched off [3].

The fix arrived nearly a month later — and even the patch was rocky. The researcher warned that Microsoft’s update could make affected machines write files large enough to fill up the entire hard drive [3]. Separately, Google shipped Chrome 150, closing 27 vulnerabilities, including two critical ones; Google itself found nearly all of them, part of a run of more than 1,400 Chrome fixes since April as the company leans on AI to hunt bugs [1]. If you use Chrome, letting it restart to apply the update is the whole action.

The breaches: a telco and a university

Two data thefts surfaced. Japan’s KDDI, a major telecom company, said a breach affected 12 million people — the attackers got in through a zero-day flaw in a third-party system connected to its email service for internet providers [13]. A zero-day is a flaw the maker doesn’t yet know about, so there’s no patch and no warning until it’s used.

In Canada, Mount Royal University confirmed a ransomware attack — the kind where criminals break into a network. Here they deleted two file-storage drives and stole employee and student data from a shared drive [21]. The university is offering current and recent staff two years of free identity-theft and credit monitoring [21]. When an organisation you’ve dealt with offers that, taking it costs nothing and quietly closes a door.

The good news: a borderless bust

The week’s biggest number was on the right side. Interpol said a three-month operation across 97 countries led to more than 5,800 arrests and seized $293 million, targeting the social-engineering scams — romance cons, fake investments, business-email fraud, sextortion — that prey on ordinary people [22]. Investigators identified more than 142,000 victims and blocked over 31,000 bank accounts linked to the schemes [22].

The details are almost cinematic. In Eswatini, police seized a full replica of a Brazilian police station — fake uniforms, signage and all — that scammers used to convince victims they were under investigation and frighten them into transferring money [22]. “No nation can stay safe unless all countries are equipped and committed to jointly fighting back,” said Tomonobu Kaya of Interpol’s financial-crime centre [22]. The scams cross borders freely; catching them, this week, meant the police did too.

02 · Lesson · why it matters

When the "yes" button hides what you're saying yes to

A safety check only protects you if it shows you the truth — hide the real target, and asking permission becomes theatre.

The pop-up did its job. That was the problem.

The tools in today’s story were not careless. They had a safety step built in — a pop-up that stops before writing to your computer and asks: is this okay? That pause is supposed to be the moment a human catches what a machine would miss.

In the GhostApproval flaw, the pause happened. The pop-up appeared. The developer read it, saw a harmless-looking file name, and clicked yes. And the tool then wrote an attacker’s secret into their private login keys — because the name on the pop-up was not the place the write would land.

The safety net wasn’t skipped. It was shown the wrong picture and passed the wrong verdict. That is a stranger kind of failure than a hole in a wall, and it points at something we lean on far more than most people notice.

We tend to think permission is a two-part thing: you’re offered a choice, and you make it. But a choice you can act on has a third, silent part — an honest view of what you’re choosing between. Take that away and the other two still look intact. You’re offered a choice. You make it. It just isn’t the choice you thought you were making.

The developer had the choice. The developer made it. What they didn’t have was a true view of the consequence. The pop-up showed project_settings.json and hid the login keys behind it. Every visible part of consent was present, and consent still didn’t happen — because the part that makes it real was missing.

This is why the researchers said the failure wasn’t that the trick worked. It was that the screen didn’t tell the truth. “The human-in-the-loop only works if the loop can see,” is the plain version of their point.

You do this a dozen times a day

Now the uncomfortable part: this is not a programmer’s problem. It is the shape of almost every “I agree” you have ever clicked.

The cookie banner that says manage preferences and buries the real settings three taps down. The app that asks for your location “to improve your experience” and sells it. The terms of service you accept because reading them would take a working afternoon. The permission screen that says “allow access to photos” without saying to whom, or for how long, or how often. In each case you are offered a choice and you make it — and in each case the true view of the consequence is somewhere you can’t easily see.

We call all of that “agreeing.” Mostly it’s the same rubber stamp the developer used, dressed in friendlier clothes. The label is honest enough to click and vague enough to hide the thing that matters.

Someone chose to show the friendly name

Here’s the part worth sitting with. In several of these tools, the pop-up could have shown the real target — the actual place on the disk the write would go. It showed the pretty name instead. That was a decision, made long before any attack, by someone who wanted the tool to feel smooth and simple.

It wasn’t a plot. Nobody set out to fool anyone. A friendly file name reads better than a long, ugly file path, and a smoother pop-up makes a better product. But that small design choice quietly moved the risk. It took the burden of “is this safe?” off the tool that knew the true target, and set it on the person who couldn’t see it. The convenience served the maker. The blind spot served the attacker. Both were riding the same decision, and it looked, from the outside, like a neutral bit of tidiness.

Notice how the companies then disagreed about whose job it even was. Some fixed it. Some went quiet. One argued that if you choose to trust a folder, what happens next is on you. That argument isn’t obviously wrong — but it lands the responsibility exactly where the information isn’t. It asks the person who was shown the false name to be accountable for the true one.

You can’t out-careful a screen that hides the truth

The reflex, reading this, is to resolve to be more careful. Read the pop-ups. Check the paths. Slow down.

It’s a good instinct, and it has a ceiling. The developer in this story was a careful professional, and care didn’t help, because the failure wasn’t in their attention — it was in the display. You cannot pay closer attention to a thing you are not being shown. When the interface hides the real target, more vigilance just means staring harder at the wrong word.

That’s the humbling bit. Most of the “yes” we give in a day, we give partly blind — trusting, reasonably, that the label matches the thing. We have to. Nobody can personally verify every file path, every data flow, every clause. So we lean on the honesty of the screen in front of us, the way we lean on a bridge holding.

The lesson isn’t that trust is foolish. It’s that a “yes” is only ever as good as what you were allowed to see when you gave it — and that a surprising amount of the machinery around us is built to make saying yes feel easy, precisely at the moments it should feel hard. The person clicking is you, me, the careful developer, all of us. The one thing none of us can supply for ourselves is a true picture of what’s behind the button.

03 · Lab · your turn

The Approval Desk

Approve write requests shown only friendly labels, then reveal what you really approved and feel that honest display, not more care, is what makes a yes safe.

04 · Hope · carry this

The people who found this flaw reported it quietly to every vendor before an attacker could use it, and most of the tools were fixed within weeks. The slow, unglamorous habit of checking each other's work — and closing the gap before it costs anyone — is still turning.

Across the beats