Ghostcommit Attack Conceals Malicious Prompts in Images to Exploit AI Agents

A novel supply chain attack, termed “Ghostcommit,” has emerged, leveraging PNG images to embed malicious prompt-injection instructions. This technique effectively bypasses AI code reviewers, leading coding agents to inadvertently expose sensitive information, such as .env files.

In a demonstration by the ASSET Research Group, a pull request containing explicit, plain-text instructions to exfiltrate a repository’s .env file was promptly flagged by LLM-based reviewers like Cursor Bugbot and CodeRabbit. These tools identified the coherent, text-visible exploit as high severity before the merge.

To circumvent detection, the researchers divided the payload. A seemingly innocuous AGENTS.md file directed the coding agent to “derive a build constant” from a referenced image, docs/images/build-spec.png. The actual malicious procedure—reading the .env file byte by byte and encoding it as ASCII integers—was embedded as text within the image itself.

Since text-based reviewers treat images as opaque binary data, and CodeRabbit’s default settings exclude PNG files from review, the entire pull request passed without raising any alarms. Bugbot, for instance, reported no findings.

Activation of the Ghostcommit Attack

The exploit doesn’t activate immediately upon merging. Instead, it lies dormant until a developer, during an unrelated session, requests a routine feature from the coding agent. The agent then processes the merged AGENTS.md file, accesses the referenced image, reads the .env file, and outputs a module-level constant—a tuple of several hundred integers. These integers, when decoded, reveal the entire .env file.

In one demonstration, Cursor, utilizing Claude Sonnet, generated a 311-integer tuple on the first attempt, embedding API keys, database URLs, and cloud credentials directly into what appeared to be a standard code review. The attacker could then access the public commit and convert the integers back into plaintext secrets.

This attack exploits two significant blind spots. First, the malicious instruction is concealed within an image, making it invisible to human reviewers, regex scanners, and LLM reviewers that only parse text diffs. Second, the stolen secret is hidden within an integer tuple—a format that conventional secret scanners don’t recognize as credential-related, since they typically search for string patterns rather than numeric sequences that decode to ASCII.

Variability Across Tools and Models

Testing across eleven combinations of coding tools and models revealed that outcomes depend more on the surrounding harness than the underlying model. For instance, Cursor leaked the full .env file across Sonnet 4.6, Composer-2, and GPT-5.5, while Antigravity did so across Sonnet, Gemini 3.1 Pro, and Gemini 3 Flash.

Notably, Claude Code consistently refused to process the exploit across all models it ran, including Sonnet 4.6, Haiku 4.5, and Opus 4.7. This indicates that the same Sonnet weights can leak under one harness but refuse under another.

In an edge case, Opus under Antigravity computed and wrote the secret, then recognized the social-engineering pattern and deleted it before completion—a self-correction that didn’t occur under Claude Code, as Opus never engaged with the convention there.

To address this vulnerability, researchers developed a prototype multimodal GitHub review application. Running on a single 4GB GPU using a small open model, Gemma 4, this tool combines invisible-character detection, code-shape analysis, and LLM passes over both conventional and image-based content to identify and mitigate such hidden threats.

The Ghostcommit attack underscores the evolving sophistication of supply chain threats. By embedding malicious instructions within images, attackers can exploit the trust placed in AI code reviewers and coding agents. This highlights the need for enhanced scrutiny of non-textual content in code reviews and the development of more robust detection mechanisms to safeguard against such covert exploits.