AI Security Incident Case: Ghostcommit Attack Leveraged Images to Steal Secrets

Overview

On July 11, 2026, two researchers from the ASSET Research Group at the University of Missouri-Kansas City, Sudipta Chattopadhyay and Murali Ediga, disclosed a novel attack technique named Ghostcommit. This attack is capable of exfiltrating the entire contents of a target’s .env file. The ingenuity of this attack lies in the fact that the malicious instructions are not text, but an image.

Attack Background

The Ghostcommit attack essentially exploits a structural review blind spot within the AI-assisted development workflow, rather than relying on a specific CVE vulnerability. Researchers investigated 6,480 pull requests (PRs) across 300 of the most active public repositories over the past 90 days. They discovered that 73% of merged PRs ultimately made it into the default branch without any substantive human review or bot review. Filling this review gap are LLM-driven code review tools like Cursor Bugbot and CodeRabbit; however, while they can read code and documentation, they do not review images by default.

The root cause of this blind spot is not a lack of capability in the models, but rather that toolchain designers did not include images when defining the scope of reviews. As AI programming tools continuously expand their multimodal capabilities, this asymmetry—where “the model can read it, but the tool doesn’t look at it”—is becoming the most valuable breakthrough point for attackers.

Attack Process

The attack is primarily divided into two stages: delivery and triggering.

Stage One: Delivery

The attacker adds a coding convention file named AGENTS.md in a pull request. This file points to an image, and the exploit code exists inside the image rather than the text. The attacker submits the PR. Because the image appears merely as a binary file in the diff, human reviewers typically do not open it. Meanwhile, AI review tools detect nothing because they exclude images by default. The PR is successfully merged into the main branch, leaving the malicious instructions lurking in the repository, waiting to be triggered.

Stage Two: Triggering

Sometime later, a developer instructs a coding AI agent to write a routine module. The agent reads the previously merged convention file, opens the image, and follows the instructions inside to write the contents of the .env file into a new file as a tuple of integers. These integers, when decoded byte by byte, reveal the full contents of the victim’s .env file. However, because secret scanning tools do not reverse a Python integer tuple back into ASCII to check it, they remain completely unresponsive throughout the process. The attacker simply reads the tuple from the public commit and decodes it to obtain the secrets.

‘Ghostcommit’ attack overview (by ASSET Research Group)

Attack Threat

The ultimate goal of Ghostcommit is to steal all sensitive credentials within a repository’s .env file, including API keys, database connection strings, and cloud service tokens. Even more alarming is that the success rate of the attack depends almost entirely on the development tool itself, rather than the underlying model. Cursor and Antigravity leaked secrets across multiple models, whereas Claude Code explicitly refused to execute under the exact same model weights. These data indicate that the design of the toolchain’s security boundaries is more critical than model alignment.

Response result (by ASSET Research Group)

Traditional defensive lines consisting of human review, AI text review, and secret scanning all failed when facing image-embedded instructions and integer encoding. This makes the attack highly stealthy, capable of completing the entire exfiltration chain almost entirely without the developer’s awareness.

Case Summary

Ghostcommit is the first practical attack technique that combines multimodal prompt injection with supply chain attacks. Although it does not rely on complex exploitation techniques, it precisely hits a structural blind spot in modern AI-assisted development processes.

“Nobody looks at images. That’s the core of the entire attack.” The researchers stated the essence of Ghostcommit right at the beginning of their public disclosure. When AI assistants possess multimodal understanding capabilities while review processes remain stuck in the pure-text era, this capability asymmetry becomes a new attack surface. For security practitioners, the takeaway from Ghostcommit is: do not just focus on the security of the model itself, but closely examine the blind spots in every single link of the entire AI development workflow. Real security means plugging the loophole before attackers ever discover it.

References

[1] BleepingComputer: “Ghostcommit” hides prompt injection in images to fool AI agents, steal secrets — https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/

[2] GitHub: asset-group/ghostcommit — PoC for GhostCommit Attack — https://github.com/asset-group/ghostcommit

[3] ASSET Research Group: We put the exploit in a picture. The AI code reviewer never opened it. — https://asset-group.github.io/disclosures/ghostcommit/

Leave a Reply

Your email address will not be published. Required fields are marked *

NSFOCUS
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.