Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. The instruction to steal your .env lives inside a PNG. The demonstration team placed the exploit in an image so text-based reviewers treat the file as a binary blob while downstream coding agents later open the picture, follow its instructions, access repository secrets and emit those secrets into source as encoded integers. In a related survey the authors wrote we surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. News outlets reported the disclosure and vendors were notified.
Show HN: Confessor – replay what private info Claude Code accessed on your PC