Ghostcommit: How attackers hide malicious AI instructions inside PNG images to steal code secrets

Imagine a malicious instruction embedded inside a picture file — invisible to human reviewers but perfectly readable by an AI coding agent — that quietly orders it to steal your most sensitive credentials. That is exactly what a group of academic researchers demonstrated in July 2026 with a proof-of-concept attack they call Ghostcommit.

Developed by the ASSET Research Group at the University of Missouri-Kansas City, Ghostcommit represents a new category of software supply-chain threat. It exploits a fundamental blind spot in modern AI-assisted development: many AI code review tools treat images as decorative content and never inspect them, even though multimodal AI models can read text rendered inside image files.

How the attack works

An attacker submits a pull request to an open-source repository containing two additions: a PNG image file and an update to AGENTS.md — a configuration file that many AI coding tools read to understand project conventions. The PNG image, which appears to be a harmless diagram or screenshot, actually has prompt-injection instructions embedded as visible text within the image. Human reviewers see only the diagram; they never notice the instructions because they do not expect image content to carry executable commands. AI code reviewers like CodeRabbit and Bugbot skip image files entirely, so the malicious PR passes review. Later, when a developer asks their AI coding agent to perform a routine task — such as refactoring a function or adding a feature — the agent reads AGENTS.md, follows the reference to the image file, processes its content, and unwittingly executes the hidden instructions. These can include exfiltrating the repository's .env file, leaking API keys, database credentials, and other secrets embedded in the codebase.

Key facts about Ghostcommit

Images become attack vectors. Ghostcommit proves that PNG files — long considered safe to include in code repositories — can carry active, executable instructions that exploit the multimodal capabilities of modern AI assistants. Any image in a repository now becomes a potential attack surface.

Conventional code review provides no defense. The attack exploits a structural gap: human reviewers do not scrutinize image content for instructions, and AI code reviewers do not open images at all. Neither layer catches the threat. The researchers demonstrated that plain-text prompt injections in code are caught immediately by LLM-based reviewers, but the same instructions hidden in images bypass every existing safeguard.

A delayed-execution supply-chain attack. Unlike traditional malware that triggers immediately, Ghostcommit plants instructions that execute only later, when a developer uses an AI agent for an unrelated task. This makes attribution and detection significantly harder. The instructions can remain dormant in a repository for weeks or months before being activated.

What this means for software security

Ghostcommit forces a rethinking of how AI coding tools handle multimodal inputs. As coding agents gain the ability to read images, diagrams, screenshots, and even audio files, the security community must develop new inspection pipelines that can detect and neutralize hidden instructions inside non-text files. Several AI code review platforms have already announced plans to add image-content scanning, and the ASSET Research Group is working on detection tools that can identify steganographic payloads in repository assets. For developers, the immediate recommendation is to be cautious about which repositories they allow AI agents to interact with and to review any AGENTS.md or similar configuration files that reference external image resources.