Researchers have demonstrated an attack, dubbed Ghostcommit, that smuggles malicious instructions past AI code reviewers by hiding them inside an image rather than text. The work comes from the University of Missouri-Kansas City’s ASSET Research Group, led by associate professor Sudipta Chattopadhyay and researcher Murali Ediga, who shared their findings and a GitHub proof-of-concept with BleepingComputer and say the affected vendors have been notified.
The attack targets an AGENTS.md file, a coding-convention file that AI agents read automatically and treat as project policy. The malicious file itself looks benign and names no secrets. It simply points to an image, docs/images/build-spec.png. The actual payload is text rendered inside that PNG, instructing an agent to read a repo’s .env file byte by byte, encode each byte as an integer, and emit it as a harmless-looking module constant.
Because the instructions live in an image, text-based reviewers never see them. CodeRabbit’s default configuration excludes image files from review entirely, and Bugbot returned no findings even when researchers stuffed the PNG with the literal phrase “malicious prompt injection.” A fake provenance validator and fabricated incident postmortem were enough to defeat a coherence check meant to flag unsupported conventions.
Delayed detonation
The exfiltration doesn’t happen at merge time. It triggers later, when a developer asks the coding agent for an unrelated task, such as a token-tracking module. The agent reads the merged AGENTS.md, follows the image pointer, opens .env, and quietly embeds a “provenance” constant in the new code. In one test, Cursor driving Claude Sonnet did this on the first attempt, producing a 311-integer constant that decoded byte-for-byte to the entire .env file. Secret scanners missed it because none check whether an integer tuple decodes back to ASCII text.
The researchers frame this against a weak review baseline: a survey of 6,480 pull requests across 300 active public repositories found 73% of merged PRs reached the default branch with no substantive human or bot review at all.
Harness matters more than model
Across ten runs per configuration, Cursor and the Antigravity coding tool both leaked .env contents under Sonnet, Gemini, and GPT-5.5. Anthropic’s Claude Code, running identical Sonnet weights, refused every time and explicitly narrated why. Under Antigravity, Opus wrote the secret out, then recognized the social-engineering pattern and deleted it before finishing, showing outcomes vary by the surrounding tooling, not just the model.
A defense that opens the image
The team built a multimodal pull-request defender, deployed as a GitHub app running on a single 4GB GPU, that scans for invisible characters, checks code shape, and runs an LLM pass over both convention text and images. In a trial against 80 unseen pull requests, it caught every image-based variant except one, with zero false positives on 30 legitimate PRs.
