GhostCommit Attack Hides Prompt Injection in Images to Steal Developer Secrets From AI Coding Agents
Researchers have disclosed a technique called GhostCommit that hides malicious instructions inside PNG images to trick AI coding agents into exfiltrating developer secrets, bypassing both human and AI based code review entirely.

Split image showing code review screen and magnified image file representing hidden prompt injection attack on AI coding agents
A newly disclosed supply chain attack can trick AI coding agents into stealing developer secrets without triggering a single review tool. Researchers have demonstrated a technique that smuggles prompt injection instructions inside PNG images, allowing coding agents to exfiltrate environment secrets while bypassing both human and AI based pull request review entirely.
The attack, dubbed GhostCommit, exploits a structural blind spot present across modern development workflows. A survey of thousands of pull requests across some of the most active public repositories found that the large majority of merged changes received no substantive human or bot review at all, a gap increasingly filled by AI code reviewers that read diffs and comment much like a human reviewer would.
How the attack evades detection
An early version of the attack embedded a malicious instruction directly inside a plain text convention file that coding agents read automatically and treat as project policy. Because the instruction was readable text, AI reviewers correctly flagged it as a high severity finding before the change could be merged.
The evolved version of the attack splits the payload in two. The convention file itself becomes entirely innocuous, pointing only to an image file described as containing build provenance instructions. The actual exploit, an instruction to read a repository's environment file byte by byte and encode it as a numeric sequence, lives entirely inside text rendered within the image. Since text based reviewers treat image files as binary blobs, they see nothing to flag, and at least one major AI review tool excludes image files from its scanning process entirely by default. A fabricated supporting document rounds out the deception, defeating coherence checks that would otherwise flag an unsupported or unverified convention.
A delayed and quiet trigger
The exploit does not activate immediately. It lies dormant until a developer, in an entirely unrelated session, asks the coding agent to build a routine feature. The agent reads the previously merged convention file, follows the pointer to the image, extracts the hidden procedure, reads the environment file, and embeds the decoded contents as a lengthy numeric constant inside the newly generated code, disguised as a provenance marker.
The developer sees only the feature they requested and commits the change as normal. The numeric sequence, now sitting in a public commit, can later be decoded back into the original secret values by whoever planted the attack. Automated secret scanning tools do not catch this pattern, since none of them are designed to recognise a sequence of integers as credential shaped data, a blind spot not unlike the one exploited in earlier reporting on fake private key files used in Russian toolkit intrusions.
The coding tool matters more than the underlying model
Testing across multiple coding tools and AI models revealed that the deciding factor in whether an attack succeeds is not the underlying model but the harness, meaning the surrounding application and safety scaffolding wrapped around it. Several combinations of coding tools and models leaked secrets when tested against the attack, while one tool consistently refused the exploit across every model tested, suggesting that its safety scaffolding, rather than the raw capability of the underlying model, was responsible for blocking the attack.
Researchers also built a proof of concept defence: a lightweight multimodal review tool capable of scanning images alongside text and code, running on a single small graphics card. In testing against dozens of real world attack variants, the tool caught the overwhelming majority with zero false positives on legitimate pull requests, demonstrating that a fix is technically achievable but not yet deployed across the industry.
Why this matters for enterprise security teams
The technique highlights a growing category of risk as organisations move toward greater reliance on agentic AI systems for day to day software development. Security teams evaluating AI coding assistants for enterprise use should treat automated code review tools as a starting point rather than a complete safeguard, and should specifically assess whether their review pipeline inspects non text content such as images and other binary attachments included in pull requests, not only the code and configuration files that traditional scanners are built to catch.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.