Published: 2026-07-13
Categories: AI Security, Application Security
Key Takeaways
Researchers from the ASSET Research Group disclosed GhostCommit, a proof-of-concept attack that hides prompt-injection instructions inside a PNG image referenced from a repository’s coding-convention file, exploiting the fact that human reviewers rarely inspect embedded image content and that the two automated review tools the researchers tested — CodeRabbit and Cursor’s Bugbot — did not flag it either [1][2]. The payload is split across two artifacts: an innocuous-looking AGENTS.md convention file that instructs a coding agent to derive a value from a referenced image, and the actual malicious instructions, rendered as legible text inside the image itself, which direct the agent to read the repository’s .env file byte by byte and emit the result as an integer-encoded constant [1]. In the researchers’ testing, this technique exfiltrated secrets from coding agents built on Cursor and Antigravity when driven by Claude Sonnet, Gemini, or GPT-5.5, with one partial exception — Claude Opus under Antigravity wrote the secret out but then recognized the social-engineering pattern and deleted it before finishing — while Anthropic’s Claude Code consistently refused the instruction across every model tested [1]. Because the exfiltrated secrets are written into source code as tuples of integers rather than as recognizable strings, conventional secret-scanning tools — which look for credential-shaped patterns, not decoded numeric sequences — do not flag the resulting commit [1]. The researchers’ own survey found that 73 percent of merged pull requests across 300 active public repositories reached the default branch with no substantive human or bot review, consistent with a review environment permissive enough that an attack like this could plausibly persist undetected between the time a poisoned convention file is merged and the time an agent later acts on it [1].
Background
The rapid adoption of AI coding agents — tools such as Cursor, Antigravity, and Anthropic’s Claude Code that read a repository’s files, follow project conventions, and write code with varying degrees of autonomy — appears to have introduced a new class of attack surface that traditional code review was not designed to catch. These agents commonly read a project-level convention file, often named AGENTS.md or similar, that describes coding standards, build steps, or other repository-specific guidance the agent should follow when generating code. Because these files are treated as trusted project configuration rather than executable code, they typically receive less scrutiny than a pull request’s functional changes, and, in the pattern the researchers describe, their instructions are followed by the agent with a degree of implicit trust a human reviewer would not extend to an anonymous comment.
GhostCommit exploits this trust gap by separating an attack into two pieces that are individually unremarkable. The convention file’s instruction — “derive a build constant from the referenced image” — reads as an ordinary, if unusual, project convention. The actual attack logic lives inside a PNG file that a pull request adds to the repository, most plausibly disguised as a diagram, screenshot, or build-specification asset. A human reviewer scanning the pull request diff sees a binary image file and a brief, plausible-looking text instruction; neither element on its own suggests malicious intent, and the reviewer has only a very limited practical way to “read” a PNG’s embedded text without opening the image in an editor and looking closely at what it renders [1]. Automated AI code-review tools fare no better against the image-embedded proof-of-concept in the researchers’ testing: CodeRabbit’s default configuration excludes image files from review entirely, and Cursor’s Bugbot returned no findings against the image-based pull requests, though the researchers note that Bugbot did flag a plaintext variant of the same exploit that did not rely on an embedded image [1]. The result is a pull request that merges cleanly, with the malicious payload dormant until a developer, in a later and entirely unrelated session, asks their coding agent to build a routine feature. At that point, the agent reads the merged convention file, follows its pointer to the image, extracts the instructions rendered inside it, and executes them — reading the repository’s .env file and writing its contents into new source code as an integer-encoded constant [1]. In one demonstrated run, an agent built on Cursor and Claude Sonnet produced a 311-integer constant on its first attempt that decoded, byte for byte, to the entirety of the target .env file [1].
GhostCommit is best understood as an evolution of a technique first demonstrated at scale in August 2025, when Trail of Bits researchers showed that a full-resolution image containing no visible malicious content could reveal a hidden prompt injection once a downstream AI system’s preprocessing pipeline downscaled it — an attack that Trail of Bits successfully exploited against Google’s Gemini CLI and other production systems, and for which they released an open-source tool, Anamorpher, to help defenders test their own image-handling pipelines [3]. Where the 2025 image-scaling attack relied on a resampling artifact to reveal an otherwise invisible payload, GhostCommit’s payload is fully legible at native resolution; its evasion strategy is not visual concealment but the simple observation that neither human reviewers nor most review tooling treats image content as something requiring inspection at all. That the two attacks share a delivery vector — a maliciously crafted image consumed by a multimodal AI pipeline — while differing entirely in their concealment mechanism suggests that image-borne prompt injection is becoming a recurring category of attack against AI systems, not an isolated proof-of-concept.
Security Analysis
The core vulnerability GhostCommit exposes is a mismatch between what code-review processes are built to inspect and what AI coding agents are willing to act on. Code review, whether performed by a human or by an automated tool such as CodeRabbit or Bugbot, has historically focused on the code itself: logic, style, security patterns, and test coverage in diffs of text. Binary assets such as images have conventionally been treated as inert — a screenshot is a screenshot, not executable content. AI coding agents undermine that assumption: a multimodal agent that can read an image can also be instructed by what it reads inside that image, and the researchers’ finding that CodeRabbit excludes image files from review by default, and that Bugbot’s scan produced no findings against the same pull requests, indicates that at least these two widely used tools have not yet caught up to the fact that the agents downstream of them are consuming images as instructions [1].
In this note’s assessment, the divergence in outcomes between different coding agents is the most operationally significant finding in the research. With Cursor and Antigravity, Sonnet, Gemini, and GPT-5.5 all leaked the target secrets when driving the agent; the one partial exception was Claude Opus under Antigravity, which wrote the secret out and then recognized the social-engineering pattern and deleted it before finishing — suggesting model-level safeguards can still intervene even inside a harness that does not itself refuse. Claude Code, by contrast, refused the injected instruction with every model tested, including Sonnet, Haiku, and Opus [1]. Because the same underlying models produced largely opposite outcomes depending on which tool wrapped them, the researchers’ results point to the surrounding agent harness — its system prompt, its guardrails around untrusted content, and its willingness to treat convention files and their referenced assets as authoritative instructions — as a major contributing factor, not the base model’s training alone. This is a meaningful signal for security teams evaluating coding-agent tooling: model selection alone does not determine an organization’s exposure to this class of attack, and vendors’ harness-level design choices around how much authority is extended to project convention files deserve direct scrutiny during procurement.
The exfiltration method itself also defeats a widely deployed class of defensive tooling. Secret scanners, whether run in CI or as pre-commit hooks, are built to recognize the shape of credentials: API key prefixes, JWT structures, connection-string patterns, and high-entropy strings. An agent that encodes a .env file’s contents as a Python or JavaScript tuple of integers produces a commit that contains no string resembling a credential at all — the secret exists only after a reader or a script decodes the integers back to bytes, a transformation that no mainstream scanner performs as part of its detection logic [1]. This is not a flaw specific to any one scanning product; it is a structural gap in the detection model that secret scanning is built around, and the same blind spot is likely to recur for other exfiltration techniques that re-encode sensitive data into forms the scanner was not built to recognize. The researchers did not leave this gap unaddressed, however: they prototyped a multimodal defensive scanner and tested it against 80 previously unseen attack pull requests, blocking all but one with zero false positives across 30 legitimate PRs — evidence that an image-aware review layer, of the kind recommended below, is a tractable mitigation rather than a purely theoretical one [1].
Finally, the researchers’ pull-request review survey supplies the operational context that makes the attack practical rather than merely theoretical. Their analysis of 6,480 pull requests across the 300 most active public repositories over a 90-day period found that 73 percent of merged changes reached the default branch with no substantive human review and no bot review at all [1]. GhostCommit does not require the attacker to defeat a rigorous review process; it requires only that the specific pull request carrying the poisoned convention file and image land in the roughly three-quarters of merges that receive no meaningful scrutiny before merging — a bar the researchers’ own baseline suggests is not high.
CSA Resource Alignment
CSA’s Securing LLM-Backed Systems: Essential Authorization Practices provides directly applicable prior guidance for the attack pattern GhostCommit demonstrates [4]. That guidance’s treatment of indirect prompt injection — where an attacker plants instructions in content an LLM-backed system will later process, rather than in a direct user prompt — describes the general mechanism by which GhostCommit’s image-borne payload reaches a coding agent through a merged, seemingly benign repository file. The guidance’s core recommendation, that systems built around LLMs require external authorization checkpoints and validation layers that do not rely on the model to police its own inputs, applies directly to the finding that agent harness design, not model choice, was a major factor in whether GhostCommit’s payload was executed or refused.
CSA’s MAESTRO framework for agentic AI threat modeling offers a complementary lens for organizations assessing their exposure [5]. MAESTRO’s layered threat model treats an AI coding agent’s tool use, its consumption of untrusted project artifacts, and its access to credentials as distinct risk surfaces that require independent controls; GhostCommit’s chain, from a merged convention file, through an image the agent reads as an instruction, to a .env file the agent has standing access to, maps onto that layered structure and illustrates why threat modeling agentic coding tools requires evaluating the full chain of trust rather than the model in isolation.
The AI Controls Matrix (AICM) v1.1, which builds on and extends CSA’s Cloud Controls Matrix, supplies the control-mapping vocabulary organizations need to operationalize a response [6]. The relevant control domains span Application and Interface Security, where controls governing code review and CI/CD pipeline integrity should be extended to explicitly cover non-text artifacts consumed by AI agents, and Identity and Access Management, where the scoping of the credentials an agent can read — including .env files and other secrets stores — determines the ceiling on what any successful injection can exfiltrate.
Recommendations
Immediate Actions
Organizations that grant AI coding agents access to repositories containing production secrets should audit whether any merged pull requests contain image files referenced from AGENTS.md, CLAUDE.md, or equivalent convention files, and should manually inspect the text rendered inside any such images for embedded instructions. Any .env file or comparable secrets store that an AI coding agent can read should be treated as already exposed if the agent has processed an untrusted convention file or image since the secret was last rotated, and rotation should proceed on that assumption rather than waiting for confirmation of compromise.
Short-Term Mitigations
Code-review tooling configurations that exclude image files from automated scanning, a default the researchers found in CodeRabbit, should be reconsidered; organizations should enable image content review where the option exists or add a supplementary scanning step, such as an LLM pass over image text, ahead of merge. The researchers’ own prototype multimodal scanner, which blocked 79 of 80 previously unseen attack pull requests with zero false positives across 30 legitimate PRs, indicates this kind of image-aware review layer is achievable with existing techniques rather than a purely theoretical countermeasure [1]. Secret-scanning coverage should be extended beyond pattern matching on decoded strings to include detection of large numeric-tuple constants and similarly encoded data structures that could represent obfuscated credential exfiltration, since the researchers demonstrated that standard scanners do not flag this encoding. Coding-agent configurations should be scoped so that agents do not have standing read access to .env files or equivalent secrets stores during routine feature-development sessions; where an agent genuinely requires a runtime secret, that secret should be injected through an environment mechanism the agent’s file-reading tools cannot access directly, rather than left in a file the agent can open on request.
Strategic Considerations
The divergence between coding agents that refused the injected instruction and those that executed it suggests that harness-level design — how much authority a tool extends to project convention files and referenced assets, and what guardrails it applies before acting on untrusted repository content — may be an important security differentiator among AI coding tools, a finding worth confirming across a broader set of products beyond the two tested here. Security and engineering leadership evaluating or renewing AI coding-agent contracts should request vendor detail on how the tool treats instructions found in convention files and non-text artifacts, rather than treating the underlying model’s safety training as a sufficient proxy for the tool’s overall resistance to this class of attack. More broadly, the finding that 73 percent of merged pull requests in the researchers’ sample received no substantive review argues for organizations to treat pull-request review coverage itself as a security control with a measurable baseline, not an assumed constant, particularly for repositories where AI coding agents operate with access to credentials or other sensitive resources.
References
[1] Ax Sharma. “‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets.” BleepingComputer, July 11, 2026.
[2] ASSET Research Group. “We put the exploit in a picture. Your AI code reviewer never opens it..” ASSET Research Group Disclosures, 2026.
[3] Kikimora Morozova and Suha Sabi Hussain. “Weaponizing image scaling against production AI systems.” Trail of Bits, August 21, 2025.
[4] Cloud Security Alliance. “Securing LLM Backed Systems: Essential Authorization Practices.” CSA, 2024.
[5] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA, February 2025.
[6] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.1.” CSA.