Ghostcommit Attack: Malicious Prompts Hidden in PNG Images Hijack AI Coding Agents to Steal .env Secrets
A new supply-chain attack technique named Ghostcommit enables adversaries to conceal prompt-injection commands inside ordinary PNG images, thereby bypassing AI code-review systems and compelling coding agents to exfiltrate sensitive secrets such as .env configuration files.
Attack Principle and Comparative Verification
The ASSET Research Group conducted experiments showing that when a pull request directly contains plaintext instructions to steal a repository’s .env file, tools such as the Cursor vulnerability bot and CodeRabbit immediately detect the malicious command and flag it as a high-severity issue before the code is merged.
To circumvent these safeguards, the researchers split the attack payload into two parts: a seemingly legitimate specification document named AGENTS.md placed in the repository root, and a PNG image (docs/images/build-spec.png) that actually contains the complete malicious logic. The image instructs the agent to read the .env file byte-by-byte and encode its contents as an ASCII numeric sequence. Because most text-oriented review tools treat images as opaque binary files and CodeRabbit skips PNG files by default, the entire pull request passes without any security warnings.
Attack Trigger Flow
The theft does not occur at merge time. Instead, the trap activates later when a developer, in a separate session, asks the coding agent to implement ordinary functionality. The agent consults the already-merged AGENTS.md file, parses the referenced image, reads the local .env file, and emits a module-level constant (for example _PROV_CANARY) containing hundreds of numeric values. When these numbers are decoded, they reconstruct the complete plaintext of the .env file. In one real-world test using Claude Sonnet inside Cursor, the model produced a tuple of 311 numbers that, once decoded, revealed API keys, database addresses, and cloud credentials.
Two Major Detection Blind Spots Exploited
- Malicious prompts are hidden inside images, rendering them invisible to human reviewers, regex scanners, and large-language-model tools that only analyze textual diffs.
- Extracted secrets are disguised as numeric tuples; conventional secret-scanning tools that rely on string patterns fail to recognize ASCII-decodable number sequences.
Multi-Tool and Multi-Model Test Results
Researchers evaluated 11 combinations of coding tools and models. Results showed that whether the attack succeeds depends primarily on the agent framework rather than the underlying model. Cursor leaked .env contents with Claude Sonnet 4.6, Composer-2, and GPT-5.5. Antigravity leaked secrets with Sonnet, Gemini 3.1 Pro, and Gemini 3 Flash. In contrast, the Claude Code platform blocked the attack across its entire model family (Sonnet 4.6, Haiku 4.5, Opus 4.7). Notably, the same Sonnet model behaved differently across environments. In one extreme test, Antigravity running Opus initially computed the secrets but then autonomously removed the sensitive output after recognizing the social-engineering pattern; the same model inside Claude Code never read the AGENTS.md file and therefore never triggered its self-defense mechanism.
Self-Developed Defense Prototype
The research team built a lightweight multimodal GitHub code-review tool based on the open-source Gemma 4 model that runs on a single 4 GB GPU. The prototype combines three detection capabilities: invisible-character identification, code-structure analysis, and simultaneous LLM-based validation of both specification documents and embedded images. In stress testing it achieved 100 % interception of 15 known attack samples with zero false positives, detected 49 out of 50 attacks in 80 previously unseen real-world submissions, and correctly classified all 30 normal business pull requests without raising alerts. The team has open-sourced the complete proof-of-concept code, including the split-payload pull-request samples and numeric-decoding utilities, to help the security community develop countermeasures.