Ghostcommit weaponizes images to steal secrets from AI agents
Ghostcommit is a prompt injection attack that hides malicious instructions inside PNG files in pull requests. It exploits a blind spot in AI code reviewers to steal .env secrets, exposing a critical new attack surface for teams shipping with coding agents.