Cybersecurity Researchers Uncover “Ghostcommit”: A New Image-Based Attack Manipulating AI to Steal Sensitive Data
Cybersecurity researchers have identified a sophisticated supply chain attack technique dubbed “Ghostcommit.” This method conceals malicious instructions within image files, specifically targeting artificial intelligence (AI) coding assistants. By embedding hidden prompt-injection commands in PNG images, attackers can manipulate AI-powered code review tools and coding agents to extract sensitive information, including .env files that contain API keys, database details, and cloud credentials.
The ASSET Research Group has demonstrated that conventional AI code reviewers can readily identify direct malicious instructions presented in plain text. However, the Ghostcommit technique cleverly circumvents automated security reviews by splitting the attack payload. It combines a seemingly innocuous instruction file with an image that harbors hidden commands, thus allowing attackers to bypass detection.
Malicious Instructions Hidden Inside Images
In a typical scenario, a pull request that includes a clear instruction to extract and leak a repository’s .env file is flagged by AI-based code review systems like Cursor Bugbot and CodeRabbit. To evade detection, the Ghostcommit attack divides its malicious payload into two components. A file named AGENTS.md contains an innocuous instruction prompting the AI coding agent to “derive a build constant” from a referenced image file.
The actual malicious commands are embedded within the image itself. The PNG file conceals text that instructs the AI agent to read the .env file, convert its contents into ASCII integer values, and insert these values into the source code. Many AI code review systems focus on analyzing text-based changes while neglecting image content, allowing the malicious pull request to pass security checks without raising alarms.
Attack Activates After Code Merge
The Ghostcommit attack does not initiate data theft immediately upon code merging. Instead, the trap is triggered later when a developer utilizes an AI coding assistant during routine programming tasks. The AI agent processes the merged AGENTS.md file, follows the image reference, and executes the hidden instructions. This results in the generation of code containing hundreds of integers that represent the stolen .env file contents.
In a practical demonstration, an AI coding assistant powered by Claude Sonnet produced a sequence of 311 integers that contained sensitive information. The attacker could subsequently decode these numbers to recover API keys, database URLs, and cloud access credentials.
Two-Level Evasion Strategy
The Ghostcommit technique exploits two distinct vulnerabilities. First, by hiding the malicious prompt within an image, it becomes challenging for human reviewers, traditional scanners, and AI tools that only analyze text differences to detect. Second, the stolen data is transformed into an integer tuple rather than appearing as recognizable text credentials. Conventional secret-scanning tools typically search for identifiable patterns such as passwords or API keys, which may lead to a failure in recognizing encoded numerical sequences.
This dual-layered approach allows attackers to conceal both the malicious instructions and the stolen information in formats that existing security systems are ill-equipped to detect.
Different AI Tools Show Different Responses
Testing across various AI coding tools and models revealed that security outcomes were heavily influenced by the surrounding AI framework rather than solely the underlying language model. Researchers found that some AI coding environments inadvertently leaked the entire contents of .env files across multiple models, including GPT-5.5 and various versions of Claude and Gemini models.
Conversely, Claude Code consistently refused to execute the malicious instructions across all tested models, indicating that the same AI model can exhibit different behaviors depending on its integration within a coding environment. In one instance, an AI model generated secret information but later recognized the social-engineering pattern and removed it before completing the task.
Researchers Develop Detection System
In response to the growing threat posed by such attacks, researchers have developed a prototype multimodal GitHub security review system. This tool integrates image analysis, code-pattern detection, and AI-based inspection of both text instructions and embedded image content. During testing against multiple attack techniques, the prototype successfully detected all malicious pull requests without generating false positives. It also identified nearly all previously unseen attack samples while avoiding alerts on legitimate code submissions.
The researchers have publicly released their proof-of-concept attack method and detection approach, enabling security teams to study and enhance defenses against AI-driven supply chain attacks.
Growing Threat From AI-Based Attacks
Experts in cybersecurity assert that Ghostcommit underscores a new category of risks emerging from the rapid adoption of AI coding assistants. As organizations increasingly depend on AI agents for software development, attackers are devising novel methods to manipulate these systems through hidden instructions and social-engineering techniques.
To mitigate these risks, experts recommend that organizations implement stringent AI usage policies, conduct thorough reviews of AI-generated code, monitor repository changes, and restrict AI tools’ access to sensitive files and credentials.
For further information on this emerging threat, refer to the original reporting source: the420.in.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


