Researchers created a pull request that stole the secrets and techniques of a repository by hiding malicious directions inside a PNG that AI code reviewers would by no means open.
The reviewer approves the adjustments. The coding agent then reads the picture, opens the repository’s .env, and writes all of the keys as an innocuous-looking checklist of numbers to the supply.
How “ghost commit” works
The assault was a collaboration between the ASSET analysis group on the College of Missouri-Kansas Metropolis, affiliate professor Sudipta Chattopadhyay, and researcher Murali Ediga, and was shared with BleepingComputer.
The group revealed a proof of idea on GitHub this week and stated it has disclosed its findings to affected distributors.
The researchers imagine they’ve launched an assault on an already widening evaluation hole. We examined 6,480 pull requests throughout the 300 most energetic public repositories over the previous 90 days and located that 73% of merged PRs ended up on the default department with none substantive human or bot opinions.

Importantly, malicious directions are usually not textual content that reviewers can catch. It is a image.
The AGENTS.md file is a kind of coding conventions file that the agent mechanically reads and treats as a venture coverage; it’s loaded like regular construct hygiene, and the identify will not be secret.
This merely factors to the picture docs/photographs/build-spec.png. The exploit exists for textual content rendered inside that PNG. That’s, it reads the .env byte by byte, encodes every byte as an integer, prints the end result as a module fixed, and checks that the decoded quantity matches the precise file earlier than committing.
For text-based reviewers, photographs are a bunch of binaries.
CodeRabbit comes with a default setting that utterly excludes picture information from evaluation. Bugbot returned no findings.
The researchers embedded the phrases “Malicious Immediate Injection” within the PNG with express directions to learn the .env, and it nonetheless handed by way of with no hitch.
A pretend 50-line “provenance verification software” and fabricated incident autopsy offered the competitors with sufficient supporting code to defeat the judges’ final line of protection: consistency checks that flag conventions with none code behind them.
Theft occurs later.
The payload stays dormant in an unrelated session till the developer requests a routine, comparable to a token monitoring module, from the coding agent.
The agent reads the merged AGENTS.md on startup, follows the pointer to the picture, opens the .env, and writes the requested module with a “provenance” fixed close to the start.
In a single end-to-end run, the Cursor driving Claude Sonnet did this on the primary strive, and the output constants had been 311 integers, decoding all the .env byte by byte.
The developer opinions and commits the requested performance, and the attacker deciphers the numbers from the general public commit. The covert scanner by no means checks Python’s integer tuples again to ASCII, so you may by no means discover.

(ASSET analysis group)
Outdated methods, new blind spots
Hiding directions for AI programs to function inside photographs is nothing new.
In 2025, Path of Bits researchers Kikimora Morozova and Suha Sabi Hussain demonstrated a wiser model. This implies photographs that look good at full decision, however when resampled by the AI system’s personal downscaling pipeline, resolve to readable immediate injection textual content, a way that fools instruments just like the Gemini CLI.
Extra lately, macOS malware known as Gaslight focused one other AI reader by embedding a pretend system failure message inside a binary, forcing AI-assisted malware evaluation instruments to abort their very own evaluation.
Earlier this yr, my analysis staff at Manifold Safety confirmed that AI code reviewers had been fooled by spoofed git IDs into merging malicious pull requests that did not require photographs.
Ghostcommit photographs haven’t any such disguise. The extraction steps are written in easy-to-read plain textual content throughout the PNG.
It is the blind spots, not the hidden alerts, that make this work. Reviewers by no means open the file.
The software decides, not the mannequin
Probably the most penetrating discovery is about the place the hazard really exists.
Over 10 runs every, the coding software was extra necessary than the mannequin.
Cursor and Antigravity coding instruments each tracked photographs and leaked .envs in Sonnet, Gemini, GPT-5.5, and extra.
Anthropic’s Claude code ran the identical Sonnet weights, learn and rejected the identical conventions, and confirmed a transparent rejection, however it was rejected in each mannequin the researchers examined.
Below anti-gravity, Opus wrote out secrets and techniques, acknowledged social engineering patterns, and eliminated them earlier than they had been completed. Even with the identical mannequin, the outcomes are reverse and rely on the harness you wrap round it.
This refers to protection in depth relatively than a single repair.
The researchers constructed one layer themselves.
“The blind spot is structural, so we constructed Reviewer to fill it: a multimodal pull request defender deployed as a GitHub app operating on a single 4 GB graphics card,” the researchers wrote.
“This can be a mixture of scanning invisible characters, scanning the form of dedicated code, LLM paths on the conference textual content, and importantly, LLM paths on photographs.”
In a reside trial of 80 never-before-seen pull requests, just one assault with all image-based variants broke by way of, and not one of the 30 professional PRs triggered a false alarm.
“Whereas much like peer reviewers opening attachments, immediately’s peer reviewers are usually not like that,” the researchers stated.
One other layer is runtime. Slightly than making an attempt to catch the payload earlier than it ships, watch what the agent really does when it reads a credential file that it has no motive to the touch.
Safety groups doc 54% of profitable assaults and situation a warning on solely 14%. The remaining strikes invisibly by way of the atmosphere.
Picus’ whitepaper exhibits the way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
