Blog

Ghostcommit Attack: How Hackers Hide Prompt Injection in Images to Steal Your AI Agent's Secrets

Published July 17th, 2026 by Bayonseo

For many firms, AI code reviewers are now a reliable component of the software development lifecycle. They claim to enforce best practices, speed up code reviews, and find bugs, often with little human intervention. However, a dangerous blind spot in this contemporary approach is revealed by a new attack technique dubbed Ghostcommit, which enables attackers to acquire repository secrets by concealing malicious instructions inside an image that the reviewers never look at.


From Innocent PR to Full Secret Exfiltration

A sophisticated assault that starts with an apparently innocuous pull request (PR) has been shown by researchers from the ASSET Research Group at the University of Missouri-Kansas City. An AGENTS.md file, a kind of coding convention file that AI agents automatically read and interpret as project policy, is introduced in the PR. The file doesn't identify any secrets and appears to be standard build hygiene. Rather, it refers to the following image: docs/images/build-spec.png.

The exploit is contained in plain, readable text within that PNG file. The AI agent is instructed to read the repository's.env file byte by byte, encode each byte as an integer, and output the result as a module constant. This appears to be a typical modification to a human reviewer or an AI code reviewer that disregards visuals. Even after stuffing the PNG with the phrase "malicious prompt injection" and a clear directive to read.env, the researchers were still able to pass.


The Payload: Dormant Until Triggered

The payload remains inactive until a developer requests a routine task, such as a token-tracking module, from the coding agent during an unrelated session. At startup, the agent reads the combined AGENTS.md and opens.env, writes the requested module with a "provenance" constant near the top, and follows the pointer to the image.

After seeing the requested feature, the developer commits the code. The numbers from the public commit are then decoded by the attacker. Since none of them convert a Python integer tuple back into ASCII to verify it, secret scanners are never aware of it. This exfiltration was carried out on the first attempt in one end-to-end test by Cursor driving Claude Sonnet, who emitted 311 integers that decrypted the entire.env file byte by byte.


The Sharpest Finding: Tooling Matters More Than Models

The coding tool was more important than the model across ten runs each. Both Cursor and Antigravity leaked the.env under Sonnet, Gemini, and GPT-5.5 after following the picture. Running the identical Sonnet weights, Anthropic's Claude Code read the same convention and declined. Opus wrote out the secret under Antigravity, identified the social-engineering pattern, and removed it before finishing. The harness around the same model determines the opposite results.


How to Defend Against Ghostcommit

A multimodal pull-request defender powered by a single 4 GB graphics card was developed by the researchers. It combines an LLM pass over conventional text, an analysis of committed code structure, scans for unseen characters, and—most importantly—an LLM pass over the images. Only one assault was successful in a live test against 80 pull requests, and none of the 30 valid PRs set off a false alarm.

Runtime monitoring, which observes what an agent actually does when it reads a credentials file it had no cause to touch, is the other layer.


How Bayon Technologies Group Can Help

We at Bayon Technologies Group are aware that new attack surfaces brought about by AI-powered development tools are simply outside the scope of conventional security measures. We assist the following organizations:

  • Audit AI Development Pipelines: We evaluate the security of your AI-powered code review and development tools, finding blind spots such as credential access and picture processing.
  • Put Multimodal Security Controls in Place: We assist you in implementing systems that check all file types, including images, for hidden instructions and malicious prompt injection.
  • Track Agent Behavior: We use runtime monitoring to find instances in which AI agents access private files, such as.env, without authorization.
  • Create Secure AI Workflows: We assist your team in setting up AI tools to reduce risk, including settings unique to each tool that stop unwanted credential access.

Don't let an invisible image turn your AI agent into a data exfiltration tool. Contact Bayon Technologies Group today to secure your AI‑powered development pipeline.


‹ Back