Ghostcommit attack hides prompt injection in PNG images to steal repository secrets
digitaltrends.com

Ghostcommit attack hides prompt injection in PNG images to steal repository secrets

Tech News
3 min read

Published by AINave Editorial • Reviewed by Ramit

TL;DRResearchers demonstrate Ghostcommit, a pull-request attack that hides prompt injection inside PNG images to trick AI code reviewers into leaking repository secrets.

A new attack called Ghostcommit hides malicious instructions inside PNG images attached to pull requests, tricking AI coding assistants into exposing sensitive files like .env secrets during unrelated tasks later. The attack exploits a blind spot in how many AI review tools treat images as decorative rather than inspectable content.

What happened

Researchers Sudipta Chattopadhyay and Murali Ediga demonstrated Ghostcommit, a pull-request attack that hides malicious instructions inside a PNG image. Since many AI code review tools treat images as decorative assets rather than something worth inspecting, the pull request appears harmless and passes review. The hidden instructions don't execute immediately. They wait until a developer later asks an AI coding assistant to perform an unrelated task, such as creating a helper function. By then, the AI has absorbed the hidden commands and can unknowingly access sensitive project files, slipping confidential information into generated code disguised as ordinary-looking values.

The attack is a form of prompt injection where adversarial prompts are embedded in non-textual elements like images. The malicious instruction is invisible to human reviewers, regex scanners, and LLM reviewers that only parse the unified text diff.

Why AI builders should care

AI-assisted coding tools dramatically speed software development but introduce new attack surfaces. The Ghostcommit attack doesn't depend on a specific AI model. The same model behaves differently depending on the coding assistant wrapped around it. Some tools blindly follow hidden instructions, while others recognize something suspicious and refuse to continue. The real challenge lies in how AI-powered coding platforms decide what information to trust and which project files they're allowed to access.

For teams building or integrating AI code reviewers, this means the security posture of the tool configuration matters as much as the model itself. If your review pipeline treats images, documentation, and configuration files as low-risk assets, you're exposed to this class of attack.

Practical implications

Developers should supervise AI tools and treat all non-code assets in pull requests with the same rigor as source code. The researchers advocate for multimodal scrutiny -- treating images, docs, and config files as code-level review items. If an AI can read a picture, it also needs to understand that the picture could be trying to manipulate it.

Organizations should include non-code assets in threat modeling and implement stricter access controls to prevent leakage of repository secrets via generated code. Review workflows should not rely solely on model output; human oversight and tool-level safeguards are essential.

Caveats

This is early-stage research, and details vary across reports. Not all AI coding assistants react the same way to hidden prompts. Outcomes depend on the specific tool configurations and surrounding workflows. The attack is a proof of concept, not a fixed universal vulnerability. As with any emerging security research, builders should evaluate their own tooling and risk profile rather than assuming all systems are equally vulnerable.

FAQs

Prompt injection is the technique of feeding an AI agent with instructions through content it processes, potentially altering its behavior. Adversarial prompts can be embedded in non-textual elements, such as hidden instructions within images. In the Ghostcommit attack, researchers hid malicious instructions inside a PNG image attached to a pull request. The AI reads the image later during an unrelated task and follows the hidden commands, because many review tools treat images as decorative rather than inspecting them for embedded prompts.

Sources

Latest Tech News