Ghostcommit hid prompt injection in images AI code reviewers never open, then stole repo secrets
On July 11, 2026, the ASSET Research Group (University of Missouri-Kansas City) published Ghostcommit, a proof of concept in which a pull request hides malicious instructions inside a PNG referenced by an AGENTS.md convention file. Text-based AI reviewers treat the image as a binary blob, CodeRabbit's default config excludes images from review outright, and the PR passes clean even with the words 'malicious prompt injection' rendered inside the picture. Later, when a coding agent reads the image during an unrelated task, it follows the embedded instructions, reads the repo's .env, and writes every secret into source code as an innocuous-looking list of integers. The group's survey found 73 percent of merged PRs across the 300 most active public repos received no substantive human or bot review.
Researchers smuggled agent instructions past AI code reviewers by putting them in a picture. The reviewers cannot see images, the coding agents can, and the payload exfiltrated .env secrets disguised as integer constants.
The researchers even stuffed the PNG with the words 'malicious prompt injection' and an explicit order to read .env, and it still passed clean.
Key facts
- What
- On July 11, 2026, the ASSET Research Group (University of Missouri-Kansas City) published Ghostcommit, a proof of concept in which a pull request hides malicious instructions inside a PNG referenced by an AGENTS.md convention file.
- Incident date
- Jul 11, 2026
- Who
- Multiple (AI code review and coding agents)
- Failure mode
- Prompt Injection
- AI surface
- Code Assistant
- Severity
- Medium
What happened
Associate professor Sudipta Chattopadhyay and researcher Murali Ediga built a pull request whose only unusual elements were an AGENTS.md file reading like ordinary build hygiene and a referenced image at docs/images/build-spec.png. The exploit text lives rendered inside the PNG: read .env byte by byte, encode each byte as an integer, emit the result as a module constant, and verify the decoded numbers match before commit. AI reviewers passed it; a fabricated 50-line provenance validator and fake incident postmortem defeated coherence checks that flag conventions with no supporting code. The payload sits dormant until a coding agent processes the image during a later task and executes the embedded instructions. The researchers found the harness mattered more than the model: the same underlying model leaked secrets under some coding tools and refused under others, depending on which files each harness loads and trusts. Findings were disclosed to affected vendors with a public PoC on GitHub.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
A modality gap became a trust gap. Review agents that reason over text treated an image as an opaque blob and approved around it, while execution agents with vision happily read the same image and treated its contents as project policy because a convention file told them to. No layer distinguished instructions authored by the repository owner from instructions injected by a contributor, and no layer applied the review verdict (image never inspected) to the execution decision (image obeyed). The agents' obedience to AGENTS.md conventions turned a documentation pointer into a privileged command channel.
What it cost
Sources
- Press'Ghostcommit' hides prompt injection in images to fool AI agents, steal secretsbleepingcomputer.com
- PressGhostcommit attack hides malicious AI instructions in imagesmalwarebytes.com
- PressAI Security Incident Case: Ghostcommit Attack Leveraged Images to Steal Secretsnsfocusglobal.com
Cite this entry
https://failureindex.ai/failures/ghostcommit-image-prompt-injection-ai-code-reviewAI Failure Index. "Ghostcommit hid prompt injection in images AI code reviewers never open, then stole repo secrets" (FI-0722). Realm Labs. https://failureindex.ai/failures/ghostcommit-image-prompt-injection-ai-code-review (indexed Jul 17, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0722. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Prism catches the moment an agent's plan pivots from the user's task to instructions sourced from untrusted content, the signature move of an injection. OmniGuard blocks the exfiltration step: a coding agent reading .env and encoding secrets into source constants is an anomalous data flow that gets held at the boundary regardless of how cleverly the instruction arrived. AgentRealm scopes agents so repository content cannot escalate itself into policy.