Ghostcommit: Prompt Injection Hidden in Plain Sight
Security researchers have published details of a novel attack technique called Ghostcommit that exploits a blind spot shared by many AI-powered developer tools: image files. By hiding prompt injection payloads inside PNG images committed to a repository, attackers can bypass AI code review systems entirely — and then weaponize AI coding agents to steal secrets.
How the Attack Works
The Ghostcommit technique operates in two stages:
Stage 1: Evading AI Code Reviewers
Popular AI code review tools like CodeRabbit and Bugbot analyze code changes submitted in pull requests. Critically, researchers found that neither tool opens or analyzes image files — they treat binary assets as opaque blobs outside their scope.
By encoding a prompt injection payload inside a PNG file (embedded as metadata, EXIF data, or within the image data itself), an attacker can commit a malicious "image" that passes through AI code review completely unchallenged.
Stage 2: Hijacking the Coding Agent
When an AI coding agent (such as a Claude, GPT, or Gemini-powered assistant) is subsequently invoked to work on the repository, it may encounter and process the malicious image. The hidden prompt injection instructs the agent to:
- Read the repository's
.envfile (or other secret stores) - Write every discovered secret into a location controlled by the attacker (a commit, a comment, an API call, etc.)
In the researchers' demonstration, the injected payload successfully convinced the coding agent to exfiltrate secrets — all while the developer remained unaware.
Why This Matters
Ghostcommit highlights several systemic risks in the modern AI-augmented development workflow:
The Trust Asymmetry Problem
Code reviewers — both human and AI — implicitly trust image assets more than code. Binary files "can't execute," so they receive less scrutiny. Ghostcommit exploits this assumption by treating the image as a delivery mechanism for instructions rather than executable code.
AI Agents Have Broad Access
Coding agents that operate on repositories often have read access to secrets, configuration files, and sensitive data by design. They need this access to do their jobs. Prompt injection transforms that legitimate access into an exfiltration vector.
The Attack is Stealthy
- The malicious PNG looks like a normal image to any visual inspection
- No code changes are required — only an image commit
- AI reviewers skip the file entirely
- The agent's subsequent actions may look legitimate in logs
Affected Tools
The research specifically demonstrated bypass of:
- CodeRabbit — skipped image file analysis entirely
- Bugbot — also did not open image files in review mode
The researchers note this is a class-level issue, not specific to these two products — any AI code reviewer that does not analyze binary/image files shares this blind spot.
Mitigation Strategies
For Development Teams
- Scrutinize image commits: Any new image added to a repository via PR should be treated with the same suspicion as code, especially from external contributors
- Limit agent permissions: AI coding agents should not have read access to
.envfiles or secret stores by default; use secrets management tools instead - Secrets in environment, not files: Avoid storing secrets in files within the repository, even in
.gitignoredfiles that agents may still access locally - Monitor agent actions: Log and audit what AI agents read and write during their operation
For AI Tool Vendors
- Scan image metadata: Code review tools should at minimum check image EXIF data, metadata, and embedded text for suspicious content
- Implement prompt injection detection: Agent pipelines should include heuristics for detecting instruction injection patterns in processed content
- Principle of least privilege: Agents should request only the minimum file access needed for each task
The Broader Prompt Injection Landscape
Ghostcommit joins a growing body of research demonstrating that prompt injection is the XSS of the AI era — a fundamental input validation failure that manifests in unexpected places. As AI agents gain more autonomy over code, infrastructure, and sensitive data, the attack surface for prompt injection continues to expand.
The technique also raises supply chain concerns: a malicious image injected into an open-source repository could silently target every developer who uses an AI coding agent with that codebase.