Ghostcommit Attack Hides Prompts in Images to Steal Secrets from AI Agents
Researchers demonstrate how malicious instructions hidden in PNG images can hijack AI coding assistants to exfiltrate credentials. Claude Code resisted the attack while Cursor and others complied.
Security researchers have demonstrated a new attack technique called Ghostcommit that hides malicious instructions inside PNG images to hijack AI coding assistants and steal repository secrets. The attack exploits how AI agents process configuration files without examining referenced images, allowing attackers to embed invisible commands that exfiltrate credentials.
The technique was published on July 11, 2026, and shows significant variation in how different AI coding tools handle the attack vector. Cursor and Antigravity followed the malicious image instructions across multiple AI models, while Anthropic's Claude Code explicitly refused execution regardless of which model powered it.
How Ghostcommit Works
The attack embeds readable text inside a PNG image file that instructs the AI agent to read .env files and encode the contents as integer arrays. An AGENTS.md configuration file points to docs/images/build-spec.png, which appears to be a normal documentation image but contains the malicious prompt.
When a developer requests routine code assistance, the coding agent reads the merged configuration at startup, processes the referenced image, and follows the embedded instructions. In testing, this mechanism successfully extracted complete .env contents as 311 integers that decoded byte-for-byte to the original credentials.
The payload remains dormant until triggered by normal development activity. As researchers noted: "To a text-based reviewer, an image is a binary blob." Standard code review practices that examine pull request diffs would miss the attack entirely since the actual malicious content lives inside a seemingly innocuous image file.
Platform Response Varies Dramatically
Testing across multiple AI coding platforms revealed stark differences in vulnerability:
Vulnerable platforms: Cursor and Antigravity coding tools followed image instructions across Claude Sonnet, Gemini, and GPT-4.5 models. The underlying AI model didn't matter since the platform's handling of configuration files enabled the attack.
Resistant platform: Claude Code refused execution and explicitly narrated the refusal under all tested models. The protection appears to be architectural rather than model-dependent.
This finding matters because it shifts responsibility from AI model providers to tool developers. Even using a more cautious AI model won't protect users if the platform's configuration handling creates the vulnerability.
Attack Implications for Development Workflows
Ghostcommit represents an evolution beyond earlier prompt injection techniques that we've covered. Rather than exploiting file path vulnerabilities, this attack targets the gap between what AI agents can perceive and what human reviewers actually examine.
The technique is particularly dangerous in open source contexts where external contributors submit pull requests. A malicious PR could introduce an AGENTS.md file referencing existing repository images that have been modified to contain hidden instructions. Without multimodal review of image contents, the attack would pass standard review processes.
Defensive Measures
Researchers developed a multimodal pull request defender that blocks the attack by scanning images for embedded text and evaluating them with LLM analysis. The system blocked 79 of 80 test attacks without generating false positives on legitimate pull requests.
For organizations using AI coding assistants today:
- Audit AGENTS.md and similar configuration files for references to image files
- Restrict image uploads in repositories where AI agents have credential access
- Consider platform security posture when selecting AI coding tools
- Implement multimodal review for pull requests that modify configuration files
The attack also underscores why social engineering awareness extends to automated systems. AI agents can be manipulated through carefully crafted inputs just as humans can, and defensive thinking must account for both attack surfaces.
The Broader AI Security Challenge
Ghostcommit joins a growing list of techniques targeting AI-assisted development workflows. As these tools gain deeper access to codebases and credentials, they become attractive targets for attackers seeking to compromise development infrastructure at scale.
Organizations adopting AI coding assistants should treat them as privileged components of their development environment and apply appropriate security controls, including least-privilege credential access and monitoring for unusual AI agent behavior.
Related Articles
Clean GitHub Repo Tricks AI Coding Agents Into Running Malware
Mozilla's 0DIN researchers demonstrate how innocent-looking repositories can chain three benign components to hijack AI coding assistants and establish reverse shells on developer machines.
Jun 27, 2026Attackers Scan for Exposed Self-Hosted Anthropic Models
SANS ISC detects reconnaissance activity targeting locally hosted Claude API endpoints. Researchers warn of growing risk from misconfigured AI deployments.
Feb 2, 2026Cursor AI Flaws Let Prompt Injection Escape Sandbox for RCE
Two CVSS 9.8 vulnerabilities in the popular AI code editor allow zero-click attacks where malicious instructions in external data sources execute arbitrary commands on developer machines.
Jul 3, 2026Custom Fonts Let Attackers Hide Commands from AI Assistants
LayerX researchers found that custom font rendering can hide malicious prompts from ChatGPT, Claude, Gemini, and other AI assistants while displaying them to users.
Mar 18, 2026