Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Coding Agents


Security researchers have demonstrated a software supply chain attack called Ghostcommit that hides prompt-injection instructions inside PNG images.

The technique can bypass AI code reviewers that inspect text changes but ignore image contents. After a malicious pull request is merged, a coding agent may read the image and expose repository secrets during an unrelated development task.

In the researchersโ€™ demonstration, the agent copied an entire .env file into source code as a tuple of integers. An attacker could then decode the numbers to recover API keys, database addresses, and cloud credentials.

How the Ghostcommit attack works

The ASSET Research Groupโ€™s Ghostcommit report describes a split-payload attack involving an AGENTS.md file and a PNG image.

The AGENTS.md file appears to contain an ordinary coding convention. It tells an AI agent to calculate a module-level build constant by following instructions stored in docs/images/build-spec.png.

The actual malicious instructions appear as readable text inside the image. They direct the agent to open the repositoryโ€™s .env file, convert every byte into an integer, and insert the resulting tuple into source code.

Attack componentPurpose
AGENTS.mdIntroduces a harmless-looking project rule and points the agent to an image
build-spec.pngContains instructions telling the agent to read and encode the .env file
Fake validatorMakes the new convention appear connected to legitimate project code
Fabricated incident reportProvides a believable explanation for the supposed build requirement
Integer tupleStores stolen secrets in a form that conventional secret scanners may overlook

Plain-text prompt injection was detected

The researchers first tested a simpler version that placed the complete malicious instruction directly inside AGENTS.md.

That version explicitly told the coding agent to read the .env file and convert its contents into ASCII code points. Cursor Bugbot and CodeRabbit identified the instruction as dangerous and reported a high-severity issue.

The result showed that text-based AI reviewers could detect the attack when the full intent appeared in the pull requestโ€™s readable text.

Moving the instructions into a PNG bypassed reviewers

The researchers then divided the payload between the convention file and the image. AGENTS.md no longer mentioned credentials, .env files, or data encoding.

Instead, it referred only to a build specification stored inside the PNG. Reviewers that processed the text diff saw an apparently normal development rule.

According to the Ghostcommit investigation by BleepingComputer, CodeRabbitโ€™s default configuration excludes PNG files from review. Cursor Bugbot also returned no findings for the malicious pull request.

The image does not use traditional steganography

Ghostcommit does not need to hide instructions through invisible pixels, metadata, or complex steganographic techniques.

The malicious procedure appears as normal, readable text inside the image. The bypass succeeds because the code reviewers treat the PNG as an opaque binary file and never analyze its visual contents.

A human who opened the image could see the instructions. However, reviewers who only inspect the unified text diff would not see the dangerous prompt.

The attack activates after the pull request is merged

Ghostcommit does not immediately steal information when the malicious pull request reaches the default branch.

The files remain dormant until a developer starts a later coding session. The developer may ask the agent to add an ordinary feature that has no apparent connection to the malicious commit.

The coding agent reads AGENTS.md as project guidance, opens the referenced image, follows its instructions, and accesses the .env file.

  1. An attacker submits a pull request containing AGENTS.md and a PNG image.
  2. Text-based reviewers inspect the visible code and report no problem.
  3. A maintainer merges the pull request.
  4. A developer later asks an AI coding agent to create a normal feature.
  5. The agent loads the instructions from AGENTS.md.
  6. It follows the link to the PNG and reads the malicious prompt.
  7. The agent opens .env and converts its contents into integers.
  8. The developer commits the generated source code.
  9. The attacker reads the commit and decodes the secrets.

Secrets appear as a harmless-looking integer tuple

In one end-to-end demonstration, Cursor running Claude Sonnet generated a tuple containing 311 integers on its first attempt.

Those numbers decoded byte for byte into the seeded .env file. The file contained realistic but fake API keys, database details, payment credentials, and cloud access information.

The generated constant looked like ordinary numeric data inside a Python module. It did not contain the familiar text patterns that secret scanners usually search for.

Ghostcommit exploits two review blind spots

The attack separates its malicious intent from the stolen information, allowing each part to evade a different security layer.

The instructions hide from text-focused reviewers inside an image. The resulting credentials hide from pattern-matching scanners inside a numeric sequence.

Defenders would need to analyze the image and decode the integer tuple to understand the complete attack.

  • AI reviewers may not inspect image contents.
  • Human reviewers may focus only on visible code changes.
  • Secret scanners usually search for strings that resemble credentials.
  • Numeric tuples do not look like API keys or passwords.
  • The malicious behavior activates during a later coding session.
  • The final data leak may appear in a routine feature commit.

The coding tool influenced the outcome

The researchers tested Ghostcommit across 11 combinations of coding tools and AI models, with 10 sessions for each configuration.

The results suggest that the surrounding coding harness and its security controls matter more than the underlying model alone.

For example, the same Claude Sonnet model leaked the .env file when used through Cursor and Antigravity but refused the instruction when used through Claude Code.

Coding tool and modelObserved result
Cursor with Sonnet 4.6Leaked the complete .env file
Cursor with Composer-2Leaked the complete .env file
Cursor with GPT-5.5Leaked the complete .env file
Antigravity with Sonnet 4.6Leaked the complete .env file
Antigravity with Gemini 3.1 ProLeaked the complete .env file
Antigravity with Gemini 3 FlashLeaked the complete .env file
Codex CLI with GPT-5.4Leaked the complete .env file
Antigravity with OpusWrote the secret and then removed it
Claude Code with Sonnet 4.6Refused the instruction
Claude Code with Haiku 4.5Refused the instruction
Claude Code with Opus 4.7Refused the instruction

Claude Code refused across all tested models

Claude Code rejected the Ghostcommit instruction with every model included in the researchersโ€™ tests.

This result does not necessarily mean that the underlying models consistently resist image-based prompt injection. Sonnet 4.6 followed the same instructions when another coding tool provided the surrounding environment.

The findings indicate that permission controls, system prompts, context handling, and tool-level safeguards can change how a model responds.

Opus detected the attack after writing the secret

One Antigravity test produced a different result. Opus initially calculated the secret and wrote it into the source file.

The model later recognized the social-engineering pattern and deleted the sensitive output before completing the task.

When the researchers used Opus through Claude Code, it refused before processing the malicious convention. This difference further highlighted the role of the coding harness.

Researchers surveyed thousands of pull requests

ASSET Research Group reviewed 6,480 pull requests across 300 highly active public repositories from the previous 90 days.

The researchers reported that 73% of merged pull requests reached the default branch without substantive human review or bot review.

Ghostcommit Attack Hides Prompts

This review gap increases the value of automated code-review systems. It also creates risk when those systems inspect only source text and ignore other repository content.

A multimodal reviewer detected image-based attacks

The researchers developed a prototype GitHub review application designed to inspect more than the visible text diff.

The tool combines invisible-character detection, code-shape analysis, an LLM review of convention files, and a separate LLM review of images.

According to the Ghostcommit research findings, the prototype runs on a single graphics card with 4GB of memory and uses a small open model called Gemma 4.

The prototype caught 49 of 50 unseen attacks

During a 15-class stress test, the multimodal reviewer detected every malicious pull request and produced no false positives on benign examples.

The researchers then evaluated it against 80 previously unseen pull requests. The set included 50 attacks and 30 benign submissions.

The reviewer detected 49 of the 50 attacks, including every image-channel variation. It did not flag any of the 30 benign pull requests.

TestResult
15 attack-class stress testDetected every malicious pull request
Unseen attack setDetected 49 of 50 attacks
Image-channel attacksDetected every tested variant
Benign pull requestsZero alerts across 30 submissions

Security teams need controls beyond text review

Ghostcommit shows that AI code reviewers should inspect every file type that a coding agent may later consume.

Organizations should treat repository documentation, images, issue descriptions, comments, build files, and agent instruction files as untrusted input.

They should also monitor agent behavior at runtime. An agent accessing a credentials file during an unrelated source-code task should trigger additional scrutiny.

  • Require human approval for changes to AGENTS.md and similar instruction files.
  • Review images, PDFs, and other binary assets added through pull requests.
  • Restrict coding agents from reading .env files and credential stores.
  • Prevent agents from committing secrets without explicit approval.
  • Scan numeric arrays and encoded content for hidden credentials.
  • Log every file an agent reads during a coding task.
  • Use separate credentials for development and production systems.
  • Rotate secrets immediately after suspected exposure.
  • Apply least-privilege permissions to coding agents.

The Ghostcommit proof of concept is open source

ASSET Research Group has published the attack demonstration, split-payload pull request, and decoder for defenders and researchers.

The Ghostcommit proof-of-concept repository shows how the image, convention file, and encoded output work together.

The researchers conducted the tests in isolated repositories using seeded, non-production credentials. They said they disclosed their findings to the affected vendors.

Ghostcommit remains a research demonstration

The research does not establish that attackers have used Ghostcommit to steal real credentials from public repositories.

It demonstrates a practical path that a malicious contributor could use when AI reviewers and coding agents process different parts of the same repository.

The BleepingComputer report notes that the attack succeeds through a review blind spot rather than a hidden visual signal.

Why the attack matters

Software teams increasingly use AI tools to review pull requests, generate code, and complete development tasks with access to local files.

Ghostcommit shows how an apparently harmless repository change can influence a later agent session and turn trusted development automation into a data-exfiltration channel.

Teams deploying AI coding agents should assume that untrusted instructions can appear in any content the agent can read, not only ordinary source-code files.

FAQ

What is the Ghostcommit attack?

Ghostcommit is a proof-of-concept software supply chain attack that places malicious prompt-injection instructions inside a PNG image. An AI coding agent may later follow those instructions and expose repository secrets.

How does Ghostcommit steal .env secrets?

The attack directs a coding agent to read the .env file, convert each byte into an integer, and write the resulting tuple into source code. An attacker can decode the numbers back into the original secrets.

Why do AI code reviewers miss Ghostcommit?

Some reviewers inspect only text changes and treat PNG files as binary content. They therefore see the harmless-looking instruction file but do not analyze the malicious text rendered inside the image.

Does Ghostcommit hide text through steganography?

No. The demonstrated PNG contains readable text. The attack bypasses reviewers because they do not open or analyze the image, rather than because the instructions are visually concealed.

Which AI coding tools resisted Ghostcommit?

Claude Code refused the attack across the tested Sonnet, Haiku, and Opus models. Other tested tool and model combinations leaked the seeded .env file or began processing it.

Was Ghostcommit used to steal real credentials?

The published research describes controlled tests using fake but realistic credentials in isolated repositories. The researchers did not report exposing real production secrets.

How can organizations defend against Ghostcommit?

Organizations should inspect images and other non-code files, restrict agent access to credentials, require approval for agent instruction files, monitor file access, and scan encoded numeric output for hidden secrets.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages