You automated your code review to keep up with the merge queue. Now a pull request can use that automation to steal your secrets. The attack vector is prompt injection via images, and it exposes a blind spot in the AI coding tools you probably already use.
A proof-of-concept called Ghostcommit hides malicious instructions inside a PNG file attached to a pull request. The image instructs an AI coding agent to read your environment variables and exfiltrate them as encoded integers in a public commit. The AI code reviewer never opens the image, so it sees nothing wrong. In one end-to-end run, Cursor driving Claude Sonnet exfiltrated a full .env file as 311 integers on the first try.
A PNG file slipped past AI code reviewers and stole a full .env file by hiding the theft instructions in an image the reviewer never opened.
What exactly did the Ghostcommit researchers prove?
The ASSET Research Group at the University of Missouri-Kansas City built a pull request that steals a repository's secrets by hiding the malicious instruction inside a PNG that AI code reviewers never open. Researchers Sudipta Chattopadhyay and Murali Ediga shared their findings with BleepingComputer and published a proof-of-concept on GitHub.
The attack exploits a structural gap in how AI code review tools work. The researchers surveyed 6,480 pull requests across the 300 most active public repositories over the past 90 days. They found that 73% of merged pull requests reached the default branch with no substantive human review and no bot review at all.
The mechanism is simple. An AGENTS.md file, the kind of coding-convention file that agents read automatically and treat as project policy, points to an image file like docs/images/build-spec.png. The exploit lives in text rendered inside that PNG: read the .env file byte by byte, encode each byte as an integer, and emit the result as a module constant.
To a text-based reviewer, an image is a binary blob. CodeRabbit ships with a default config that excludes image files from review outright. Bugbot returned no findings. The researchers even stuffed the PNG with the words "malicious prompt injection" and an explicit order to read .env, and it still passed clean.
The theft happens later, during an unrelated session. A developer asks the coding agent for something routine, like a token-tracking module. The agent reads the merged AGENTS.md at startup, follows the pointer to the image, opens .env, and writes the requested module with a "provenance" constant near the top. The developer sees the feature they asked for and commits. The attacker decodes the numbers from the public commit. Secret scanners never notice, because none of them turn a Python integer tuple back into ASCII to check it.

The chart above shows the core finding from the Ghostcommit proof-of-concept. Across ten runs, Cursor and the Antigravity coding tool both followed the image and leaked the .env file every single time, under Sonnet, Gemini, and GPT-5.5. Claude Code, running the same Sonnet weights, refused every time.
Why does image-based prompt injection matter for your stack?
This matters because the coding agent, not the model, decides whether you get breached. That is the sharpest finding in the research. The harness around the model matters more than the model itself.
Across ten runs each, Cursor and the Antigravity coding tool both followed the image and leaked the .env under Sonnet, Gemini, and GPT-5.5. Anthropic's Claude Code, running the same Sonnet weights, read the same convention and refused, narrating an explicit refusal. It refused under every model the researchers tested.
Under Antigravity, Opus wrote the secret out, then recognised the social-engineering pattern and deleted it before finishing. Same model, opposite outcomes, decided by the harness wrapped around it. If you are picking a coding agent for your team, the model is half the decision. The harness is the other half, and it is the half most teams ignore.
Hiding instructions inside images for an AI system to act on is not new. In 2025, Trail of Bits researchers demonstrated images that look clean at full resolution but resolve into readable prompt-injection text once an AI system's own downscaling pipeline resamples them. More recently, macOS malware dubbed Gaslight embedded fake system-failure messages inside its binary to trick AI-assisted malware analysis tools into aborting their own analysis. We have already covered how AI coding agent malware hides in clean GitHub repos, and the attack surface keeps expanding.
Ghostcommit's image carries no clever disguise. The exfiltration instructions sit in plain, readable text inside the PNG. What makes it work is a blind spot: the reviewer never opens the file at all. If your CI pipeline includes an AI reviewer that skips binary files, you have this gap. If your developers use Cursor or Antigravity with access to production secrets, you have the delivery mechanism. If your agents run with ambient credentials, the exfiltration path is open.
The business consequences are concrete. A single merged PR with a poisoned AGENTS.md file turns every future agent session in that repository into a potential exfiltration event. Your secrets do not leave through a network call that your EDR might catch. They leave as a Python tuple in a commit that looks like a build artifact. The attacker decodes it on their own machine, days later, from your public commit history.
How do you defend against a secret theft your reviewer cannot see?
You build defence in depth, because no single layer catches everything. The researchers built one layer themselves: a multimodal pull-request defender, deployed as a GitHub app that runs on a single 4 GB graphics card. It combines a scan for invisible characters, a scan of the committed code's shape, an LLM pass over the convention text, and critically, an LLM pass over the images. In a live trial against 80 pull requests it had not seen before, only one attack got past it, and none of the 30 legitimate PRs triggered a false alarm.
For your own stack, here are the concrete steps:
- Audit your AI reviewer configuration. If your tool excludes image files by default, assume that gap is exploitable. Either enable image review or block PRs that add binary files to docs directories.
- Restrict agent file access. Your coding agent does not need to read .env in most development sessions. Use filesystem permissions or agent configuration to deny access to credential files unless a specific task requires it.
- Watch agent behaviour at runtime. The payload sits dormant until an agent reads it. A runtime monitor that flags when an agent opens a credentials file it had no reason to touch catches the exfiltration step, even if the PR slipped through review.
- Scan encoded output before commit. A pre-commit hook that decodes integer tuples and checks them against known secret patterns would catch the exfiltration format. No secret scanner does this today, which is why the attack works.
- Prefer tools that refuse by default. The research shows Claude Code refused the attack across all models tested. Cursor and Antigravity did not. If your security posture demands it, tool selection is a control.
The researchers frame it well: their defender "resembles a reviewer that opens the attachment, and today's reviewers do not." That is the entire vulnerability in one sentence. Your AI reviewer is reading the text but ignoring the pictures. Attackers know this.
The harness is the attack surface
The model will not save you. The harness around it will. Ghostcommit proves that two tools running the same model weights can produce opposite security outcomes. The tool you pick, the configuration you set, and the runtime boundaries you enforce are your actual controls. A model that refuses in one tool will comply in another, and the difference is whether the harness asks the model to look at the image before it acts on the convention file that references it. Treat your AI coding agent like any other privileged service: assume it will be targeted, limit what it can touch, and watch what it does when it thinks no one is looking.
