Capability Overview
Researchers at the University of Missouri-Kansas City’s ASSET Research Group have published a proof-of-concept attack, dubbed Ghostcommit, demonstrating that malicious prompt injection instructions can be embedded inside PNG image files and survive AI-assisted code review entirely undetected. The attack targets the automated code review and coding agent pipeline that now underpins a significant proportion of modern software development workflows.
The vector exploits two converging realities: first, that AI coding agents treat project convention files such as AGENTS.md as authoritative policy they will follow autonomously; and second, that AI review tools — including commercially deployed products like CodeRabbit and Bugbot — systematically exclude image files from analysis. This creates a blind spot that is architectural, not incidental, and therefore not addressable by tuning existing review thresholds.
A survey conducted by the researchers across 6,480 pull requests in the 300 most active public repositories found that 73% of merged PRs reached the default branch with no substantive human or bot review — establishing that the review gap Ghostcommit exploits is already endemic at scale.
Attack Surface Analysis
Ghostcommit introduces several overlapping attack vectors that defenders have no current tooling to detect in combination:
Image-embedded injection: Malicious instructions rendered as text within a PNG are invisible to any text-based analysis pipeline. The payload survives diff review, PR scanning, and secrets detection because reviewers process the file as an opaque binary blob.
Convention file as persistent dropper: AGENTS.md is automatically ingested by coding agents and treated as project policy. A compromised convention file pointing to a malicious image creates a dormant payload that activates in any future agent session — decoupled from the PR that introduced it.
Delayed, session-agnostic execution: The payload fires not at merge time but when a developer later requests any routine task. This temporal separation makes causal attribution extremely difficult and defeats session-scoped monitoring.
Encoded exfiltration: Secrets from .env files are encoded as integer arrays within ostensibly legitimate source modules, bypassing string-matching secrets scanners.
Coherence-defence bypass: Fabricated supporting code (a fake provenance validator) and a fictitious incident postmortem were sufficient to defeat coherence checks that flag unsupported conventions — demonstrating that social engineering artefacts can defeat AI reviewers’ secondary defences.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0051 – LLM Prompt Injection | Core mechanism: instructions injected via image into agent context |
| MITRE ATLAS | AML.T0057 – LLM Data Leakage | Secrets exfiltrated from .env into committed source |
| MITRE ATLAS | AML.T0043 – Craft Adversarial Data | PNG crafted specifically to evade reviewer processing |
| MITRE ATLAS | AML.T0010 – ML Supply Chain Compromise | Malicious PR injected into the development pipeline |
| MITRE ATLAS | AML.T0015 – Evade ML Model | Payload bypasses CodeRabbit and Bugbot detection |
| OWASP | LLM01 – Prompt Injection | Indirect injection via image in agent-read file |
| OWASP | LLM06 – Sensitive Information Disclosure | .env credentials written into committed code |
| OWASP | LLM08 – Excessive Agency | Agent acts on filesystem and git without human checkpoint |
| OWASP | LLM05 – Supply Chain Vulnerabilities | Attack enters via the PR/dependency ingestion pipeline |
Threat Scenarios
Scenario 1 — Open-source repository compromise: A threat actor submits a PR to a popular open-source library, adding a plausible docs/images/build-spec.png and an updated AGENTS.md. The PR merges with no human review. Any downstream contributor who later asks a coding agent to add a feature triggers secret exfiltration of their local environment credentials.
Scenario 2 — Enterprise CI/CD poisoning: An insider or compromised contributor submits a convention-file PR to an enterprise monorepo. Weeks later, a developer’s agent session exfiltrates cloud provider keys encoded into a committed constants file that passes routine code review.
Scenario 3 — Supply chain pivot: A malicious PNG payload is introduced into a shared internal template repository. All projects seeded from that template inherit the dormant AGENTS.md reference, creating a wide-blast-radius sleeper implant across the organisation’s codebase.
Defender Checklist
- Inventory all agent policy files (
AGENTS.md,CLAUDE.md,.cursorrules, etc.) across repositories and flag any that reference external image paths - Treat image files as in-scope for review in any repository where AI agents have filesystem or git write access — escalate vendor configuration requests accordingly
- Enforce least-privilege agent permissions: agents should not be able to read credential files (
.env,~/.aws/credentials) without an explicit, scoped, human-approved step - Add detection rules for encoded exfiltration patterns: large integer-array constants committed to source modules should trigger a secrets-triage workflow
- Require mandatory human sign-off on convention file changes regardless of AI review outcome — treat AGENTS.md modifications as equivalent to CI/CD pipeline changes
- Monitor agent session logs for unexpected filesystem reads of credential paths and flag cross-session anomalies
- Validate PNG and image assets committed alongside code convention changes through image-to-text extraction pipelines before merge