Ghostcommit: The AI Prompt Injection Attack Hiding Inside Your Repository's Images

A newly demonstrated technique smuggles malicious instructions inside PNG files to bypass AI code reviewers and exfiltrate environment secrets — with no one noticing.

Ghostcommit: The AI Prompt Injection Attack Hiding Inside Your Repository's Images

A PNG File That Steals Your Secrets: Meet Ghostcommit

Security researchers have demonstrated a new and deeply unsettling attack technique called Ghostcommit — an AI prompt injection attack that hides malicious instructions inside ordinary-looking PNG image files, slips past AI-powered code review tools, and instructs coding agents to extract sensitive credentials from a repository's environment files. The attack doesn't exploit a software bug in the traditional sense. It exploits something more fundamental: the trust developers and their AI tools place in the automated review pipeline itself.

The technique works by embedding text-based prompt instructions within an image file in a way that AI coding agents can read and act upon, while visual code reviewers — including widely used tools like CodeRabbit and Bugbot — completely miss it. The reason? Neither tool opens or inspects image files during code review. Once the injected image is committed to a repository and a coding agent processes the repository, the hidden instructions activate. In the researchers' demonstration, the agent was directed to locate the repository's .env file, read its contents, and encode every secret it found into the source code disguised as a list of numbers — effectively laundering credentials into plain sight without triggering typical secret-scanning alarms.

How the Attack Pipeline Actually Functions

Cybersecurity threat concept showing code and vulnerability exploitation
Ghostcommit exploits the gap between what AI reviewers inspect and what coding agents execute

To understand why Ghostcommit is alarming, it helps to understand how modern AI-assisted development workflows are structured. Many engineering teams now rely on AI code review bots that automatically scan pull requests before human review. Tools like CodeRabbit and Bugbot analyse code changes and flag potential issues. Separately, coding agents — AI systems that can autonomously write, modify, and execute code — have become increasingly common in developer workflows, particularly for repetitive tasks.

Ghostcommit exploits the seam between these two layers. The attacker crafts a PNG image that contains embedded prompt injection text. This text is not visible to a human viewer examining the image, but it is readable by an AI agent that processes the image file as part of a repository scan. When an AI code reviewer like CodeRabbit or Bugbot encounters the image, it does nothing — these tools simply do not inspect image files. The malicious payload sails through review undetected.

Later, when a coding agent with broader file-access permissions encounters the repository, it reads the PNG and acts on the embedded instructions. In the researchers' proof-of-concept, those instructions directed the agent to read the .env file — typically containing API keys, database credentials, cloud access tokens, and other sensitive configuration data — and write that information into the codebase as a list of numeric values. This obfuscation technique is significant: many secret-scanning tools look for patterns like AWS_SECRET_KEY= or DATABASE_PASSWORD=, but a list of numbers encoding those values character-by-character would evade most signature-based detectors.

According to reporting by BleepingComputer, the technique successfully bypassed both CodeRabbit and Bugbot in controlled testing, neither of which flagged the malicious image during the review phase.

"The most dangerous attacks are not those that break the rules — they are those that follow the rules perfectly, while the rules themselves were never designed for this threat model."

— Security researcher perspective on AI agent exploitation

Why Prompt Injection Is Becoming the Defining AI Security Threat

Ghostcommit is not an isolated curiosity. It represents the sharp edge of a much broader and rapidly escalating category of attacks: prompt injection. As organisations deploy more AI agents with real-world capabilities — the ability to read files, write code, call APIs, send emails, and browse the web — the attack surface expands dramatically. Traditional cybersecurity defences, designed to protect software systems with deterministic logic, are poorly suited to defend systems whose behaviour is shaped by natural language instructions.

The OWASP Top 10 for Large Language Model Applications identifies prompt injection as the number one vulnerability for LLM-based systems. OWASP defines it as occurring when an attacker manipulates an LLM through crafted inputs, causing the model to execute unintended actions or reveal confidential information. Ghostcommit demonstrates a particularly sophisticated variant: indirect prompt injection, where the malicious instructions don't come from the user interacting with the AI directly, but are instead embedded in data the AI reads from the environment — in this case, an image file within a repository.

Research published on arXiv has explored indirect prompt injection at length, with academics noting that as AI agents gain the ability to browse the web, read documents, and process multimedia, the attack surface for embedding hidden instructions grows correspondingly. An image, a PDF, a web page, or even a comment in a code file can all potentially serve as a vector.

#1OWASP LLM Vulnerability: Prompt Injection
0Image files inspected by CodeRabbit & Bugbot
100%Bypass rate in researcher demonstration
↑ 3xGrowth in AI agent deployments in development pipelines

The Blind Spots Built Into AI Code Review Tools

The Ghostcommit demonstration exposes a structural assumption baked into most AI code review systems: that only source code files matter. This is historically reasonable — code review is about code. But as repositories evolve to contain richer content, including images used in documentation, embedded assets, configuration templates, and increasingly AI-readable data formats, the boundary between "code" and "everything else" becomes a security liability.

CodeRabbit and Bugbot, both legitimate and widely used tools in professional development environments, were not designed to inspect image files for embedded text instructions. They were not at fault for missing the attack; the attack was designed specifically to exploit the gap in their inspection scope. This is precisely what makes Ghostcommit dangerous: it doesn't require the attacker to find a bug in a specific version of a specific tool. It requires only that the attacker understand the architectural assumptions of AI-assisted development pipelines — assumptions that are largely universal.

Attack Component Method Detection Risk
Malicious PNG with embedded prompt Injected text instructions inside image file Very Low — image files not scanned
AI code reviewer bypass CodeRabbit/Bugbot skip image files entirely None in testing
Coding agent instruction execution Agent reads PNG, acts on hidden instructions Low — agent follows instructions as designed
.env file exfiltration Agent reads environment secrets Low — legitimate agent capability
Obfuscated secret encoding Secrets written as numeric lists in code Very Low — evades pattern-based scanners

The numeric encoding technique used to exfiltrate secrets is also worth examining carefully. Most repository secret scanners, including GitHub's own secret scanning feature and tools like TruffleHog, work by identifying patterns that look like secrets — strings matching known formats for API keys, tokens, and passwords. A credential encoded as a sequence of ASCII values represented as integers does not match these patterns. Without knowing to look for this specific obfuscation, automated scanning would pass it cleanly.

GDPR, Data Sovereignty, and What Ghostcommit Means for European Organisations

Digital privacy and data protection concept for European organisations
For GDPR-regulated organisations, undetected credential theft via AI agents poses serious compliance risks

For European organisations operating under GDPR, the implications of an attack like Ghostcommit extend well beyond immediate security concerns. If environment secrets exfiltrated through this technique include database credentials containing personal data, API keys for systems processing user information, or cloud access tokens with access to personal data storage, the incident may constitute a personal data breach requiring notification to supervisory authorities under Article 33 of GDPR — typically within 72 hours of becoming aware.

The insidious nature of Ghostcommit is that the breach may not be immediately visible. The secrets are encoded into the repository's code, potentially committed, reviewed (and missed), and even deployed before anyone notices. The window between exfiltration and detection could be substantial, complicating both the breach response and the regulatory timeline.

For IT decision makers and privacy professionals evaluating their AI-assisted development pipelines, this attack raises urgent questions about data sovereignty. Many organisations processing sensitive data are working to keep that data within European jurisdictions, using EU-hosted cloud infrastructure and open-source tooling to maintain control. But if the AI coding agents and review bots integrated into those pipelines are not subject to the same scrutiny as the infrastructure itself, a vulnerability like Ghostcommit becomes a backdoor through an otherwise sovereign architecture.

The EU AI Act, which entered into force and is being progressively applied, does not currently address prompt injection vulnerabilities directly, but its requirements for high-risk AI systems to be robust against adversarial manipulation are relevant context. As AI agents take on more consequential roles in software development pipelines — particularly in critical infrastructure and regulated industries — regulators are likely to increase scrutiny of exactly these kinds of attack surfaces, as noted in analysis from Wired.

What Developers and Security Teams Should Do Right Now

Ghostcommit does not

Originally reported by BleepingComputer. Summarised and curated by European Purpose.