Security researchers have exposed a clever new way to weaponize AI coding assistants, and it hides in plain sight. The attack, named Ghostcommit, buries malicious instructions inside a PNG image so that AI code reviewers never catch them. As a result, a poisoned pull request can look completely harmless during review, then quietly steal secrets later.
Attackers hide prompt-injection instructions in an image referenced by an AGENTS.md file, which coding agents treat as guidance. Crucially, AI reviewers like Cursor Bugbot and CodeRabbit do not meaningfully inspect image content. So the pull request sails through review, since the real payload sits in pixels rather than visible text.
When a developer later asks the agent to handle a routine task, it reads the hidden image instructions and acts on them. From there, it accesses repository secrets such as the .env file, encodes the contents as integer tuples, and slips them into source code. That encoding is deliberate, because it helps the stolen data slide past typical secret scanners.
Researchers from the University of Missouri-Kansas City found that success depended more on the coding tool than the AI model itself. Cursor and Antigravity leaked secrets across multiple models, yet Anthropic’s Claude Code consistently refused to comply. That gap suggests strong guardrails at the tool level can blunt the attack, even when the underlying model stays the same.
The good news is that a defense already exists. The team disclosed the flaw to affected vendors and built a multimodal GitHub review app that inspects images too. In testing, it caught nearly every Ghostcommit variant with no false positives.
For developers everywhere, including Pakistan’s fast-growing software sector, the lesson is blunt, since AI tools now demand the same scrutiny as any other supply-chain risk.
