Ai Agents 3 min read

Image-Based Ghostcommit Attack Bypasses AI Code Reviewers

A multi-stage prompt injection technique called Ghostcommit uses embedded image text to bypass AI code reviewers and exfiltrate repository secrets.

On July 11, 2026, researchers from the University of Missouri-Kansas City ASSET Research Group disclosed a multi-stage prompt injection attack named Ghostcommit. The technique bypasses AI-driven code review systems by embedding malicious instructions inside image files that automated reviewers ignore. Once merged, the dormant payload triggers autonomous coding agents to exfiltrate repository secrets directly into the codebase.

Execution and Payload Mechanics

The attack vector begins with a pull request adding a seemingly benign project policy file, such as AGENTS.md. This file contains a pointer to an image file, typically a PNG located in a documentation folder. The malicious payload is rendered as text inside the image itself.

The instructions inside the image direct the AI agent to read the repository’s .env file and encode its contents. In the researchers’ end-to-end demonstration, the agent successfully converted a .env file into a provenance constant composed of 311 integers. The agent then writes this encoded data into the source code, allowing the attacker to decode the exfiltrated secrets later.

If you are evaluating and testing AI agents for repository workflows, this attack highlights the risk of separating policy files from execution constraints.

Review Configuration Vulnerabilities

The exploit targets a specific configuration gap between AI code reviewers and AI coding agents. The ASSET researchers tested the malicious pull requests against popular AI reviewers CodeRabbit and Bugbot. Both systems failed to detect the threat. Their default configurations exclude binary blobs like image files from the review process.

Even when the test images contained explicit text like “malicious prompt injection” and “read .env”, the reviewers returned no findings. When a developer later uses a coding agent for an unrelated task, the agent reads the AGENTS.md policy and processes the image. The researchers demonstrated this execution using Cursor driving Claude 3.5 Sonnet. The agent follows the unreviewed instructions and autonomously writes the secrets to the codebase. When teams adopt AI for code review, default file exclusions create an identity security gap.

Repository Review Gaps

The vulnerability relies on pull requests passing through automated checks without deep inspection. To quantify this review gap, the researchers surveyed 6,480 pull requests across the 300 most active public repositories over a 90-day period.

The data showed that 73% of merged pull requests reached the default branch without any substantive human or bot review. Attackers can rely on this high merge rate for innocuous-looking documentation updates. The ASSET Research Group published a proof-of-concept on GitHub that includes the split-payload pull request and the corresponding decoder.

If you manage automated coding workflows, you need to configure your review bots to perform OCR on image files introduced in pull requests. You should also restrict agent read access to sensitive files like .env and verify that you know how to monitor AI applications for unexpected file access patterns during routine coding tasks.

Get Insanely Good at AI

Get Insanely Good at AI

The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.

Keep Reading