system: OPERATIONAL
← back to all hacks
INDIRECT INJECTION MEDIUM NEW

Ghostcommit: image-embedded prompt injection that AI code reviewers never open

Disclosed July 11, 2026, Ghostcommit hides an exfiltration instruction inside a PNG referenced from an AGENTS.md file, slipping past diff-only AI reviewers and later walking a coding agent to a repo's .env.

2026-07-14 // 6 min affects: cursor, google-antigravity, coderabbit, bugbot

What is this?

On July 11, 2026, the ASSET Research Group at the University of Missouri-Kansas City — associate professor Sudipta Chattopadhyay and researcher Murali Ediga — disclosed Ghostcommit, a technique that hides a prompt-injection payload inside an image so that AI code reviewers never see it. The group shared the finding with BleepingComputer, published a proof-of-concept on GitHub, and says it disclosed to the affected vendors before going public. This is a defensive research demonstration, not an attack observed in the wild.

The insight is not a clever hidden signal. The exfiltration instructions sit in plain, readable text rendered inside a PNG. What makes it work is a structural blind spot: the reviewer never opens the file at all. To a text-based reviewer, an image is an opaque binary blob, so the malicious content is invisible to the exact tools meant to catch it.

How it works

The demonstration uses two files. The first is an AGENTS.md convention file — the kind of coding-standards document that agents read automatically at startup and treat as project policy. It reads like ordinary build hygiene, names no secret, and simply points to an image such as docs/images/build-spec.png. The second file is that image, which carries the actual instruction: read the repository’s .env, encode its contents as a list of integers, and emit them as an innocuous-looking module constant.

Two properties make the payload survive review. First, the mainstream AI reviewers tested were diff- and text-oriented: CodeRabbit ships with a default configuration that excludes image files from review outright, and Cursor’s Bugbot returned no findings. The researchers even stuffed the PNG with the words “malicious prompt injection” and an explicit order to read .env, and it still passed clean. Second, a fabricated “provenance validator” and a fake incident postmortem gave the convention enough supporting code to defeat a coherence check that would otherwise flag a policy file with no code behind it.

The theft happens later and out of context. The poisoned convention sits dormant until, in an unrelated session, a developer asks the coding agent for something routine — a token-tracking module, say. The agent reads the merged AGENTS.md, follows the pointer to the image, opens .env, and writes the requested feature with the encoded secrets tucked into a constant near the top. The developer sees the feature they asked for and commits it. Secret scanners never notice, because none of them turn a tuple of integers back into text to check it. The researchers note the review gap is already wide: across 6,480 pull requests in the 300 most active public repositories over 90 days, 73% of merged PRs reached the default branch with no substantive human review and no bot review at all.

Why it matters

Ghostcommit’s sharpest finding is that the tooling decided the outcome more than the model did. Across ten runs each, Cursor and the Antigravity coding tool both followed the image and leaked .env under Sonnet, Gemini, and GPT-5.5, among others. Anthropic’s Claude Code, running the same Sonnet weights, read the same convention and refused — narrating an explicit refusal under every model tested. In one Antigravity run, a model wrote the secret out, then recognised the social-engineering pattern and deleted it before finishing. Same weights, opposite results, decided by the harness wrapped around the model.

That is the lesson for defenders: safety behaviour lives in the whole system — the reviewer’s file coverage, the agent harness, the runtime guardrails — not in the model alone. It generalises the same blind spot seen in earlier image-borne injection work such as image-only prompt injection and convention-file abuse like AGENTS.md supply-chain injection, and it rhymes with the Gaslight trick of hiding text meant for a different AI reader.

Defenses

Review the attachments, not just the diff. The core failure is that reviewers skip images. The researchers built a prototype multimodal GitHub review app — running on a single 4 GB GPU with a small open model — that combines an invisible-character scan, a code-shape scan, an LLM pass over convention text, and, critically, an LLM pass over the images. In a live trial against 80 unseen pull requests, only one attack slipped through, with no false alarms on 30 legitimate PRs. Treat any image referenced by a policy or convention file as reviewable content.

Don’t let convention files silently expand the agent’s instructions. Files like AGENTS.md are read as policy at startup. Pin, review, and diff them like code, and be suspicious of conventions that point outward to other artifacts — especially images or remote resources.

Add a runtime layer that watches behaviour, not just payloads. Alert when an agent reads a credentials file such as .env that the current task gave it no reason to touch, and when it writes encoded blobs into source. Catching the action is more robust than trying to catch every payload before it ships.

Close the human-review gap. Require at least one substantive review — human or a multimodal bot — before merge to the default branch, and keep secrets out of the repo tree entirely (use a secrets manager) so an exfiltration read has nothing to find.

Status

ItemDetail
DisclosedJuly 11, 2026 (ASSET Research Group, UMKC), reported to affected vendors
Coding tools that leaked in testingCursor, Antigravity (under Sonnet, Gemini, GPT-5.5, among others)
Refused across all tested modelsAnthropic Claude Code
Reviewers bypassedCodeRabbit (images excluded by default), Cursor Bugbot
Prototype defenseMultimodal PR reviewer; 1 miss / 0 false positives on 80 unseen PRs

Sources