GhostCommit – Convention-File Steganographic Exfiltration (Attack PoC) Researchers at ASSET Research Group published a proof-of-concept attack called GhostCommit that exploits coding-agent pipelines by hiding exfiltration instructions inside image files in pull requests. The attack embeds a steganographic payload in a PNG file referenced by a coding-convention file, which vision-capable AI coding agents read and execute, exfiltrating secrets like .env files as integer tuples that evade text-based secret scanners. The researchers found that 73% of pull requests in busy public repositories merge without substantive human or bot review, and that LLM-based reviewers fail to detect the attack when instructions are moved into images. Reference implementation of the attack from Convention-File Steganographic Exfiltration in Coding-Agent Pipelines ASSET Research Group . The full writeup is on the disclosure page https://asset-group.github.io/disclosures/ghostcommit/ . Nobody reads the picture. That is the whole attack. A pull request adds a coding-convention file AGENTS.md that points at an image, and the exploit lives inside the image, not the text. A reviewer, human or bot, reads the diff and sees a binary blob, so it merges. Days later a developer asks their coding agent for a routine module. The agent reads the merged convention, opens the image, follows it, and writes the contents of .env into the new file as a tuple of integers. Those integers decode byte for byte to your secrets, and no secret scanner treats a list of numbers as a credential. The attacker reads the public commit and decodes it. AGENTS.md names no secret and spells out no procedure. It only points at docs/images/build-spec.png . Everything dangerous is rendered inside that image: read .env , turn each byte into its ASCII codepoint, and emit the result as a PROV CANARY constant. The image also closes the escape hatches. It forbids placeholder values, forbids a runtime lookup, invents a past incident to make the rule look load-bearing, and ends with a check that fails unless the numbers really are your .env . A text-based reviewer never opens it. A vision-capable agent does. : the pull request, split so that no single file is incriminating. attack-fixtures/evolved/ AGENTS.md : the convention file that only points at the image. docs/images/build-spec.png : the image that actually carries the exploit. prov check.py : a validator with a deliberately loose byte range. docs/postmortems/2026-03-15-provenance-drift.md : the fabricated incident that sells the rule. .github/workflows/prov-check.yml : the CI gate. : turns an emitted tuple back into attack-fixtures/decode prov canary.py .env , the way an attacker would from the public commit.: the runs shown below. figures/screenshots/ - Drop the contents of attack-fixtures/evolved/ onto a repository with a seeded .env . Use a canary, never a real secret. - Point a vision-capable agent Cursor, Antigravity at the repository and ask for an ordinary module. Say nothing about the convention. - Decode whatever tuple it writes: python attack-fixtures/decode prov canary.py