# Ghostcommit exposes the image blind spot in AI code review

> Source: <https://runtimewire.com/article/ghostcommit-ai-code-reviewers-image-prompt-injection>
> Published: 2026-07-13 03:17:21+00:00

[ASSET Research Group](https://asset-group.github.io/?ref=runtimewire) and [Sudipta Chattopadhyay](https://sudiptac.bitbucket.io/?ref=runtimewire) published a proof-of-concept this week showing how a malicious pull request can hide a prompt-injection instruction inside a PNG, pass AI code review, and later induce a coding agent to leak a repository's `.env`

secrets into source code.

The attack, named Ghostcommit, was [reported Saturday by BleepingComputer](https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/?ref=runtimewire) and documented by ASSET in a [technical disclosure](https://asset-group.github.io/disclosures/ghostcommit/?ref=runtimewire) and [GitHub proof-of-concept](https://github.com/asset-group/ghostcommit?ref=runtimewire). Chattopadhyay is an associate professor at the University of Missouri-Kansas City and faculty lead of ASSET.

Ghostcommit lands because software teams have moved two separate trust decisions into AI. The first is review: AI systems are increasingly used to summarize diffs and flag suspicious changes before merge. The second is execution: coding agents read repository guidance files, inspect project assets, and write code on behalf of developers. ASSET's finding is that a payload can be invisible at the first step and active at the second.

### The exploit is ordinary until the agent opens the picture

The pull request in ASSET's evolved attack adds an `AGENTS.md`

file that looks like normal repository guidance. It does not contain a visible instruction to steal secrets. It tells future coding agents to derive a module-level provenance constant from `docs/images/build-spec.png`

([example path](https://github.com/asset-group/ghostcommit/blob/main/attack-fixtures/evolved/docs/images/build-spec.png?ref=runtimewire)).

That PNG carries the actual instruction. The rendered text tells the agent to read `.env`

byte by byte, encode each byte as an integer, emit the result as a `_PROV_CANARY`

constant, and verify that decoding the numbers matches the real `.env`

before committing. To a text-only reviewer, the image is just a binary file. To a vision-capable coding agent, it is executable project guidance.

BleepingComputer reports the pull request passed cleanly through [CodeRabbit](https://www.coderabbit.ai/?ref=runtimewire) and [Cursor Bugbot](https://cursor.com/bugbot?ref=runtimewire), even when the PNG contained explicit attack language, including the words "malicious prompt injection" and an instruction to read `.env`

. The outlet adds that CodeRabbit's default configuration excludes image files from review and that Bugbot returned no findings.

The attack does not steal anything at merge time. The malicious convention sits in the repository until a developer later asks a coding agent for an unrelated change, such as a token-tracking module. The agent reads `AGENTS.md`

, opens the image, follows the hidden procedure, reads `.env`

, and writes the requested module with a tuple of integers near the top. In one end-to-end run, Cursor driving Claude Sonnet emitted 311 integers that decoded byte-for-byte to the entire seeded `.env`

([per BleepingComputer](https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/?ref=runtimewire)).

That output defeats the next layer too. Conventional secret scanners look for string-shaped credentials. ASSET's proof-of-concept writes secrets as numbers, so the leaked material does not look like an API key or database URL unless a scanner converts the integer tuple back into ASCII.

### The harness matters as much as the model

The sharpest result in ASSET's disclosure is that the same model can behave differently depending on the coding environment around it. Across 10 runs per tool/model combination, ASSET found that Cursor under several models (including Claude Sonnet) and Antigravity under Sonnet and Gemini leaked the whole `.env`

, while Antigravity with Opus wrote the secret and then redacted it after recognizing the social-engineering pattern. By contrast, [Anthropic's Claude Code](/article/anthropic-claude-code-auto-mode-pro-sonnet-4-6) refused across every model they tried ([source](https://asset-group.github.io/disclosures/ghostcommit/?ref=runtimewire)).

That matters for founders building with agents. Security reviews often collapse "model safety" and "tool safety" into the same bucket. Ghostcommit separates them. The model weights are one control surface. The wrapper deciding what files an agent may read, when it may use vision, how it interprets repository instructions, and whether it may touch credentials is another.

The same lesson applies to AI code reviewers. [Bugbot's product page](https://cursor.com/bugbot?ref=runtimewire) describes AI review that runs in GitHub pull requests and catches logic bugs. [CodeRabbit's site](https://www.coderabbit.ai/?ref=runtimewire) markets code review for AI-powered teams and says its system pulls in context from custom guidelines, code intelligence, linters, scanners, and other sources. Ghostcommit targets the edge of that context window: a file type that matters to the agent after merge, while still being invisible or deprioritized during review.

### ASSET's defense starts with opening the attachment

ASSET's proposed defense is intentionally plain: reviewers need to inspect images and decoded outputs, because the attack hides in both places.

The group built a multimodal pull-request defender as a GitHub app that combines scans for invisible characters, code-shape analysis, an LLM pass over convention text, and an LLM pass over images. ASSET says the tool runs on a single 4 GB graphics card. In a live trial against 80 previously unseen pull requests, it caught 49 of 50 attacks, including every image-channel variant, and did not flag any of the 30 benign pull requests ([disclosure](https://asset-group.github.io/disclosures/ghostcommit/?ref=runtimewire)). The team used seeded credentials in testing.

The Ghostcommit disclosure also arrives after a string of related warnings about AI systems reading artifacts humans and legacy scanners ignore. BleepingComputer linked it to a 2025 Trail of Bits demonstration in which malicious prompts were hidden in images that became readable after downscaling, and to Gaslight, a macOS malware technique that embedded fake system-failure messages aimed at AI-assisted malware analysis tools. In another case cited by BleepingComputer, Manifold Security showed an AI code reviewer being fooled by a spoofed git identity.

Ghostcommit's contribution is less exotic and more immediately operational. The malicious text in the PNG is readable. The failure happens because the reviewer never looks, the agent later does, and the leaked value no longer resembles a secret by the time it reaches the commit.

For teams shipping with coding agents, the fix starts with reducing what agents can read by default. A coding agent handling a routine feature should not be able to open `.env`

unless the task requires it, and a reviewer should treat new or changed agent instructions as code with side effects. Image files referenced by `AGENTS.md`

, `CLAUDE.md`

, docs, build specifications, or prompt-like policy files deserve review by a system that can actually see them.

Chattopadhyay's group frames the finding as a review gap. It is also a product gap. AI development tools are racing to make agents more capable inside the repo. Ghostcommit shows the cost of giving those agents eyes, memory, and filesystem reach while leaving the review path optimized for text diffs.
