Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/CyberSecurity News/Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
CyberSecurity News

Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents

Key Takeaways A new supply chain attack, “Ghostcommit,” injects malicious prompts into AI coding agents by embedding them within seemingly innocuous PNG images. This method bypasses...

Jennifer sherman
Jennifer sherman
July 11, 2026 5 Min Read
5 0

Key Takeaways

  • A new supply chain attack, “Ghostcommit,” injects malicious prompts into AI coding agents by embedding them within seemingly innocuous PNG images.
  • This method bypasses traditional text-based code reviewers and AI-powered LLM reviewers, which typically treat images as opaque binary data.
  • The attack tricks AI agents into exfiltrating sensitive data, such as .env files containing API keys and credentials, by encoding them as integer tuples in code.
  • The effectiveness of the attack varies based on the AI coding tool and its surrounding “harness,” rather than solely the underlying AI model.
  • Researchers have released a proof of concept and developed a prototype multimodal review app capable of detecting these sophisticated attacks.

Ghostcommit: A Covert AI Supply Chain Attack Emerges

A novel supply chain attack dubbed “Ghostcommit” has been uncovered, demonstrating how malicious prompt injection instructions can be covertly embedded within PNG image files. This sophisticated technique is designed to bypass AI-powered code review systems and manipulate AI coding agents into revealing sensitive information, such as critical .env configuration files.

Table Of Content

  • Key Takeaways
  • Ghostcommit: A Covert AI Supply Chain Attack Emerges
  • Evading Detection: The Split Payload Strategy
  • Post-Merge Activation and Data Exfiltration
  • Exploiting Dual Blind Spots
  • Varied Outcomes Across AI Tools and Models
  • Developing Countermeasures
  • What You Should Do

The ASSET Research Group spearheaded the discovery, illustrating how conventional AI code reviewers, including popular platforms like Cursor Bugbot and CodeRabbit, readily detect explicit, plain-text instructions aimed at exfiltrating a repository’s .env file. Such direct attempts are immediately flagged as high-severity threats prior to any merge operation, thanks to their clear, visible textual nature.

Evading Detection: The Split Payload Strategy

To circumvent these existing defenses, the researchers devised a cunning split-payload strategy. This approach involves two distinct components. First, a seemingly harmless AGENTS.md convention file is introduced, instructing the coding agent to “derive a build constant” from a specified image file, for instance, docs/images/build-spec.png. Crucially, the actual malicious code—a procedure designed to read the .env file byte by byte and encode its contents as ASCII integers—is discreetly rendered as text directly within the referenced image itself.

The success of this evasion hinges on a critical blind spot: text-based code reviewers typically process images as opaque binary data. Furthermore, CodeRabbit’s default configuration specifically excludes PNG files from its review process. Consequently, the entire pull request appears clean, with Bugbot reporting no issues whatsoever, allowing the malicious payload to integrate undetected.

Post-Merge Activation and Data Exfiltration

The Ghostcommit attack does not immediately steal data upon merging. Instead, it lies dormant, activating at a later stage when a developer initiates an unrelated, routine feature request from the AI coding agent. During this interaction, the agent processes the previously merged AGENTS.md file, follows the embedded instruction to the image, and subsequently opens the .env file. It then generates a module-level constant, such as _PROV_CANARY, represented as a tuple of several hundred integers. These integers, when decoded byte-for-byte, reveal the entire contents of the .env file.

In one demonstrated run, Cursor, powered by Claude Sonnet, successfully generated a 311-integer tuple on its initial attempt. This tuple contained critical information, including API keys, database URLs, and cloud credentials, all embedded within what appeared to be a standard code review. An attacker could then simply access the public commit and convert these integers back into plaintext secrets.

Exploiting Dual Blind Spots

The Ghostcommit attack cleverly exploits two simultaneous blind spots in current security practices. First, the malicious instructions are concealed within an image, rendering them invisible to human reviewers, regular expression scanners, and LLM-based reviewers that primarily analyze unified text diffs. Second, the exfiltrated secret itself is hidden within an integer tuple. Conventional secret scanners are not designed to recognize this format as credential-shaped, as they typically search for specific string patterns rather than numeric sequences that decode to ASCII characters.

Varied Outcomes Across AI Tools and Models

Extensive testing across eleven different combinations of AI coding tools and underlying models revealed that the success of the Ghostcommit attack is more dependent on the surrounding “harness” or integration environment than on the core AI model itself. Cursor, for instance, successfully leaked the complete .env file across Sonnet 4.6, Composer-2, and GPT-5.5. Similarly, Antigravity facilitated the leak using Sonnet, Gemini 3.1 Pro, and Gemini 3 Flash.

In contrast, Claude Code consistently resisted the attack across all models it employed, including Sonnet 4.6, Haiku 4.5, and Opus 4.7. This demonstrates that the same Sonnet weights, for example, could be vulnerable under one tool’s integration but resilient under another’s.

An interesting edge case emerged with Opus under Antigravity: the model computed and wrote the secret but then self-corrected, recognizing the social engineering pattern and deleting the information before completion. This self-correction mechanism, however, was not triggered under Claude Code, as Opus never engaged with the convention in that environment.

Developing Countermeasures

In response to this threat, researchers developed a prototype multimodal GitHub review application. This tool, operating on a modest 4GB GPU with a small open model (Gemma 4), integrates several detection techniques: invisible-character analysis, code-shape analysis, and LLM passes over both convention text and embedded images.

During a stress test involving fifteen distinct attack classes, the prototype successfully identified every malicious pull request without a single false positive. When tested against eighty unseen real pull requests, it detected 49 out of 50 attacks, including all image-channel variants, while accurately flagging none of the thirty benign submissions.

The proof of concept, which includes the split-payload pull request and a decoder, has been openly published to assist defenders in studying and mitigating this novel attack vector.

What You Should Do

  • Implement Multimodal Review Processes: Adopt or develop code review tools that can analyze both text and embedded images, moving beyond traditional text-only diff analysis.
  • Configure AI Reviewers for Image Scanning: Ensure AI-powered code review tools are configured to not treat image files as opaque binary blobs and to actively scan them for embedded text or anomalous patterns.
  • Enhance Secret Detection: Update or augment secret detection tools to look for encoded secrets, such as integer tuples, that can be decoded back into sensitive plaintext.
  • Educate Developers: Raise awareness among development teams about the Ghostcommit attack and the risks of interacting with AI agents that might be compromised by such stealthy methods.
  • Audit AI Agent Interactions: Regularly audit the outputs and behaviors of AI coding agents, especially when they generate unexpected data formats or interact with configuration files.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploit

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us