Ghostcommit Attack Hides Malicious Instructions Inside Images to Steal Secrets From AI Coding Agents
Researchers demonstrate an attack, Ghostcommit, that hides prompt injection inside a PNG image to bypass AI code reviewers and trick coding agents into leaking a repository's secrets.
Ada
Editor & AI Analyst

Security researchers have demonstrated a new attack technique that can trick AI coding agents into stealing a software repository's secrets, such as API keys and database credentials, by hiding malicious instructions inside an ordinary-looking image file.
The technique, dubbed Ghostcommit, was developed by Sudipta Chattopadhyay, an associate professor at the University of Missouri-Kansas City, working with the ASSET Research Group. The team has published a proof-of-concept and disclosed the findings to the affected vendors.
How the attack works
Many teams now use AI coding agents, tools that can write, review, and commit code with minimal human oversight, alongside a convention file called AGENTS.md, which the agent reads automatically and treats as project policy. In the Ghostcommit attack, this file looks like routine build documentation and names no secret. It simply points to an image file included in the same pull request.
The actual malicious instruction sits as plain, readable text rendered inside that image: read the repository's .env file (a file commonly used to store credentials) byte by byte, convert each byte into a number, and write the result into the code as a harmless-looking list of integers.
Because AI code review tools work from text, an image reads as an opaque binary file rather than something to inspect. CodeRabbit's default configuration excludes image files from review entirely, and Cursor's Bugbot returned no findings when tested against the technique, even when researchers stuffed the image with the phrase "malicious prompt injection" and an explicit instruction to read .env. The pull request also included fake supporting code, including a bogus validation script, to survive reviewers' coherence checks.
Nothing is stolen at the point the pull request is merged. The theft happens later, when a developer, in a completely unrelated session, asks the coding agent to build something routine. The agent reads the already-merged AGENTS.md file, follows the pointer to the image, reads the real .env file, and quietly writes the requested feature alongside a "provenance" constant containing the encoded secrets. In one demonstration, the Cursor tool driving Anthropic's Claude Sonnet model produced a 311-number sequence on the first attempt that decoded, byte for byte, into the entire .env file. The developer sees only the feature they asked for and commits the code, at which point the secrets sit exposed in a public commit. Standard secret-scanning tools do not catch this, because none of them check whether a list of numbers decodes back into readable credentials.
The researchers note this isn't an isolated finding. The broader review gap is already wide: a survey of nearly 6,500 pull requests across the 300 most active public repositories over 90 days found that 73% of merged changes reached the main codebase with no substantive human or automated review at all.
The harness matters more than the model
The most significant finding may be about where the risk actually sits. Testing multiple combinations of coding tools and AI models, researchers found that Cursor and the Antigravity coding tool both followed the hidden instruction and leaked secrets, regardless of which underlying model was driving them. Anthropic's Claude Code, however, refused the same instruction under every model tested, actively explaining why it was declining. The same underlying model behaved differently depending on which tool wrapped around it, pointing to the surrounding harness, not just the model, as the deciding factor in whether an attack succeeds.
Researchers also built a prototype defence: a multimodal review tool that inspects both convention files and any images they reference, running on modest hardware. In a trial against 80 previously unseen pull requests, it caught 49 of 50 malicious submissions, including every image-based variant, without flagging any of the 30 legitimate ones.
What this means for organisations
This attack sits in a gap that most current tooling and process simply don't cover. Code review policies, whether human or AI-assisted, are generally built around reading diffs of text. An image attached to a pull request rarely gets the same scrutiny, and Ghostcommit shows that gap is exploitable end to end, from initial merge through to a developer unknowingly triggering the exfiltration weeks later.
For agencies and dev shops handling client codebases, the exposure runs both ways: a compromised repository could leak your own credentials or a client's, and either scenario raises questions about what your AI tooling is configured to review and what it silently skips. For any organisation with obligations under Australia's Notifiable Data Breaches scheme, an exposed credential that leads to a compromise involving personal information could itself become a reportable event, separate from the initial code review failure.
Two things follow from the research. First, tool choice is now a security decision, not just a productivity one. The same model produced opposite outcomes depending on which coding agent was wrapping it, so evaluating a coding tool's resistance to this kind of instruction should sit alongside evaluating the model itself. Second, catching the payload before merge isn't the only layer worth building. Watching what an agent actually does at runtime, such as flagging any unprompted read of a credentials file, catches the attack at the point it activates rather than relying on review alone.
Practical steps
- Check whether your AI code review tooling scans image files, or excludes them by default.
- Treat AGENTS.md and similar agent-instruction files as sensitive configuration requiring human review, not routine documentation.
- Store secrets in a dedicated secrets manager rather than .env files accessible to coding agents, and rotate any credentials that may have been exposed.
- Add runtime monitoring for coding agents, specifically alerts when an agent reads a credentials file without being asked to.
- Factor coding tool choice into your AI security posture alongside model choice. This research shows outcomes vary significantly by harness, not just by model.
The proof-of-concept and prototype defence tool have both been published as open source for defenders to test against their own environments.