Skip to content
Tech News
← Back to articles

'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets

read original more articles

Researchers have built a pull request that steals a repository's secrets by hiding the malicious instruction inside a PNG that AI code reviewers never open.

The reviewer waves the change through. Later, a coding agent reads the picture, opens the repo's .env, and writes every key into the source as a harmless-looking list of numbers.

How 'Ghostcommit' works

The attack is joint work from the University of Missouri-Kansas City's ASSET Research Group, by associate professor Sudipta Chattopadhyay and researcher Murali Ediga, who shared it with BleepingComputer.

The group published a proof-of-concept on GitHub this week and says it has disclosed the findings to the affected vendors.

The researchers frame the attack against a review gap that's already wide: a survey of 6,480 pull requests across the 300 most active public repositories over the past 90 days found 73% of merged PRs reached the default branch with no substantive human review and no bot review at all.

'Ghostcommit' attack overview (ASSET Research Group)

The trick is that the malicious instruction isn't text a reviewer can catch. It's a picture.

An AGENTS.md file, the kind of coding-convention file agents read automatically and treat as project policy, reads like ordinary build hygiene and names no secret.

It just points to an image, docs/images/build-spec.png. The exploit lives in text rendered inside that PNG: read .env byte by byte, encode each byte as an integer, emit the result as a module constant, and verify the decoded numbers match the real file before commit.

... continue reading