Ghostcommit Hides Secret-Theft Instructions in Images AI Code Reviewers Never Open
Researchers at the University of Missouri–Kansas City's ASSET Research Group have released Ghostcommit, a proof-of-concept software-supply-chain attack that places its malicious instructions inside a PNG. The pull request's text looks like routine project policy, text-only AI reviewers return no finding, and a vision-capable coding agent later follows the image's instructions and writes a repository's .env contents into source code as integers.
A two-stage prompt-injection chain
The delivery stage adds an AGENTS.md convention file that points to docs/images/build-spec.png. The Markdown does not name a credential file or describe exfiltration. The PNG does: it tells the coding agent to read .env byte by byte, emit the values as a module-level tuple, and verify that decoding the tuple reproduces the file. Supporting validator code and a fabricated incident report make the policy look operationally legitimate.
That split matters because the reviewers and the eventual agent do not observe the same artifact. The researchers report that plain-text versions were flagged at high severity by Cursor Bugbot and CodeRabbit. When the procedure moved into the PNG, both returned no findings; the disclosure notes that CodeRabbit's default review configuration excludes PNG files.
The execution stage can happen long after merge. During an unrelated coding task, the agent reads the repository's standing instructions, opens the referenced image, and adds the requested tuple to a normal source file. An attacker can then decode the integers from a public commit. The output contains no conventional credential string, so scanners that only match key formats can miss the disclosure.
What the controlled tests found
- The team tested ten sessions for each listed tool-and-model pairing. Its disclosure says every tested pairing under Cursor, Antigravity, and Codex CLI emitted the complete seeded
.envtuple. - Claude Code refused across the three tested model configurations, including the same Sonnet family that leaked under other harnesses. Under Antigravity, one Opus configuration wrote the data and then removed it after recognizing the social-engineering pattern.
- The researchers surveyed 6,480 pull requests across 300 highly active public repositories and report that 73% of merged PRs reached the default branch without substantive human or bot review.
- Their prototype multimodal defender caught 49 of 50 malicious pull requests in an 80-PR live trial, including every image-channel variant, while reporting no false alarms among 30 benign PRs.
The security boundary is the harness, not just the model
Ghostcommit is not evidence that every coding agent will execute image-borne instructions. It is a controlled demonstration using seeded canary credentials, and the authors say no production secrets were exposed. Its strongest result is the divergence between tools running related models: repository ingestion, image handling, standing-instruction precedence, filesystem permissions, and output controls determine whether the payload becomes an action.
The attack also joins two visibility gaps. Reviewers that inspect only textual diffs cannot assess the complete instruction graph, while secret scanners that inspect only string-shaped tokens cannot recognize arbitrary encodings. Treating either control as a complete gate leaves a composition path through both.
Defensive engineering guidance
- Require substantive review for new or modified agent policy files such as
AGENTS.md, especially when they reference images, generated documents, archives, or remote content. - Render and inspect non-text assets in pull requests. Correlate instructions across policy files and their references instead of evaluating each file independently.
- Do not give coding agents ambient access to credential files. Run them with task-scoped mounts, deny-by-default egress, and secrets supplied only to the specific subprocess that needs them. The site's analysis of credential-isolated agent sandboxes covers this execution boundary.
- Alert when agents read
.env, cloud credentials, SSH material, package tokens, or CI secrets outside an approved workflow—even when the eventual output is encoded rather than copied verbatim. - Scan new constants and large numeric or encoded blobs for reversible secret material, and compare agent file reads with the files changed in its output.
- Keep untrusted pull requests away from privileged autonomous agents until review is complete. A merge should not silently promote repository content into trusted standing instructions.
Sources: