LIVE FEED
FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required RELEVANCE ▲ 9.2

Ghostcommit PoC Embeds Prompt Injection in PNG to Steal Repo Secrets

ATTACK SURFACE BRIEF CRITICAL ↗ RAPID
  • What shipped: Researchers published a PoC that hides prompt injection inside PNG images to make AI coding agents silently steal repo secrets.
  • Who's now exposed: Engineering teams using AI code review tools and coding agents — such as CodeRabbit or similar — on repositories that accept external pull requests are directly exposed.
  • Assess now: Audit all AGENTS.md, CLAUDE.md, and equivalent agent-policy files in your repositories for external image references · Configure AI review tools to treat image files as reviewable artifacts in agentic contexts, not excluded binary blobs · Restrict AI agent filesystem permissions so agents cannot read .env or credential files without explicit, scoped human approval · Implement secrets-scanning on all agent-generated code commits, including numeric or encoded constant arrays · Enforce mandatory human review for any PR that modifies agent convention files, regardless of bot review outcomes
Ghostcommit PoC Embeds Prompt Injection in PNG to Steal Repo Secrets

Capability Overview

Researchers at the University of Missouri-Kansas City’s ASSET Research Group have published a proof-of-concept attack, dubbed Ghostcommit, demonstrating that malicious prompt injection instructions can be embedded inside PNG image files and survive AI-assisted code review entirely undetected. The attack targets the automated code review and coding agent pipeline that now underpins a significant proportion of modern software development workflows.

The vector exploits two converging realities: first, that AI coding agents treat project convention files such as AGENTS.md as authoritative policy they will follow autonomously; and second, that AI review tools — including commercially deployed products like CodeRabbit and Bugbot — systematically exclude image files from analysis. This creates a blind spot that is architectural, not incidental, and therefore not addressable by tuning existing review thresholds.

A survey conducted by the researchers across 6,480 pull requests in the 300 most active public repositories found that 73% of merged PRs reached the default branch with no substantive human or bot review — establishing that the review gap Ghostcommit exploits is already endemic at scale.

Attack Surface Analysis

Ghostcommit introduces several overlapping attack vectors that defenders have no current tooling to detect in combination:

Image-embedded injection: Malicious instructions rendered as text within a PNG are invisible to any text-based analysis pipeline. The payload survives diff review, PR scanning, and secrets detection because reviewers process the file as an opaque binary blob.

Convention file as persistent dropper: AGENTS.md is automatically ingested by coding agents and treated as project policy. A compromised convention file pointing to a malicious image creates a dormant payload that activates in any future agent session — decoupled from the PR that introduced it.

Delayed, session-agnostic execution: The payload fires not at merge time but when a developer later requests any routine task. This temporal separation makes causal attribution extremely difficult and defeats session-scoped monitoring.

Encoded exfiltration: Secrets from .env files are encoded as integer arrays within ostensibly legitimate source modules, bypassing string-matching secrets scanners.

Coherence-defence bypass: Fabricated supporting code (a fake provenance validator) and a fictitious incident postmortem were sufficient to defeat coherence checks that flag unsupported conventions — demonstrating that social engineering artefacts can defeat AI reviewers’ secondary defences.

Framework Mapping

FrameworkTechniqueRationale
MITRE ATLASAML.T0051 – LLM Prompt InjectionCore mechanism: instructions injected via image into agent context
MITRE ATLASAML.T0057 – LLM Data LeakageSecrets exfiltrated from .env into committed source
MITRE ATLASAML.T0043 – Craft Adversarial DataPNG crafted specifically to evade reviewer processing
MITRE ATLASAML.T0010 – ML Supply Chain CompromiseMalicious PR injected into the development pipeline
MITRE ATLASAML.T0015 – Evade ML ModelPayload bypasses CodeRabbit and Bugbot detection
OWASPLLM01 – Prompt InjectionIndirect injection via image in agent-read file
OWASPLLM06 – Sensitive Information Disclosure.env credentials written into committed code
OWASPLLM08 – Excessive AgencyAgent acts on filesystem and git without human checkpoint
OWASPLLM05 – Supply Chain VulnerabilitiesAttack enters via the PR/dependency ingestion pipeline

Threat Scenarios

Scenario 1 — Open-source repository compromise: A threat actor submits a PR to a popular open-source library, adding a plausible docs/images/build-spec.png and an updated AGENTS.md. The PR merges with no human review. Any downstream contributor who later asks a coding agent to add a feature triggers secret exfiltration of their local environment credentials.

Scenario 2 — Enterprise CI/CD poisoning: An insider or compromised contributor submits a convention-file PR to an enterprise monorepo. Weeks later, a developer’s agent session exfiltrates cloud provider keys encoded into a committed constants file that passes routine code review.

Scenario 3 — Supply chain pivot: A malicious PNG payload is introduced into a shared internal template repository. All projects seeded from that template inherit the dormant AGENTS.md reference, creating a wide-blast-radius sleeper implant across the organisation’s codebase.

Defender Checklist

  • Inventory all agent policy files (AGENTS.md, CLAUDE.md, .cursorrules, etc.) across repositories and flag any that reference external image paths
  • Treat image files as in-scope for review in any repository where AI agents have filesystem or git write access — escalate vendor configuration requests accordingly
  • Enforce least-privilege agent permissions: agents should not be able to read credential files (.env, ~/.aws/credentials) without an explicit, scoped, human-approved step
  • Add detection rules for encoded exfiltration patterns: large integer-array constants committed to source modules should trigger a secrets-triage workflow
  • Require mandatory human sign-off on convention file changes regardless of AI review outcome — treat AGENTS.md modifications as equivalent to CI/CD pipeline changes
  • Monitor agent session logs for unexpected filesystem reads of credential paths and flag cross-session anomalies
  • Validate PNG and image assets committed alongside code convention changes through image-to-text extraction pipelines before merge

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.