Ghostcommit uses image-embedded prompts to bypass AI code review

Ghostcommit uses image-embedded prompts to bypass AI code review


Ghostcommit uses image-embedded prompts to bypass AI code review

Researchers from the ASSET Research Group demonstrated Ghostcommit, a pull-request attack that hides prompt injection inside a PNG referenced by AGENTS.md. Text-only reviewers may approve the change, while a later coding agent reads the image, accesses .env, and emits the secrets as integer constants in source code. In tests, Cursor and Antigravity leaked credentials across multiple models; Claude Code refused.

The key finding is structural: the failure point was often the toolchain, not the model. If reviewers skip images and scanners do not decode covert output formats, secret exfiltration can pass through normal PR workflows and appear as benign code generation.

️ Open sources - closed narratives

@sitreports

Source: Telegram "sitreports"

Report Page