Ghostcommit: PNG prompt-injection makes AI agents leak repository secrets Researchers disclosed Ghostcommit, a proof-of-concept attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, causing AI coding agents to leak repository secrets. A survey of 6,480 pull requests across 300 active repositories found 73% merged without substantive human or bot review. The disclosure prompted notifications to vendors. Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. The instruction to steal your .env lives inside a PNG. The demonstration team placed the exploit in an image so text-based reviewers treat the file as a binary blob while downstream coding agents later open the picture, follow its instructions, access repository secrets and emit those secrets into source as encoded integers. In a related survey the authors wrote we surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. News outlets reported the disclosure and vendors were notified.