AI, News

Ghostcommit attack hides malicious AI instructions in images

| July 13, 2026
Ghostcommit

Ghostcommit is a proof of concept that shows how AI assistants used to review software code can be tricked by hidden instructions embedded in images.

The academic ASSET Research Group showed that an attacker can place instructions inside an image file, point to it in an AGENTS.md file, and get an AI coding agent to follow those instructions during a later task.

A pull request is basically a formal “please review and add my changes” request that a developer sends before changes are added to the main version of a software project. Human reviewers and, increasingly, AI coding tools may review the changes before they’re accepted.

While AI-assisted code review is becoming part of everyday development, Ghostcommit exposes a weakness many teams have not considered. A human reviewer may read the code and skip an attached image. In the researchers’ proof of concept, the malicious instructions were hidden inside a PNG file referenced by repository policy files, while the visible pull request looked ordinary.

As the researchers demonstrated, this can turn routine developer workflows into a channel for stealing secrets. An AI coding agent reads those hidden instructions, even though a human reviewer is unlikely to inspect the image.

The attack is simple in concept but dangerous in practice. A pull request introduces a harmless-looking image and a configuration file that tells the agent to trust it. When the agent later works on a normal task, it follows the hidden instructions, reads sensitive files, and writes the secrets back into the code in an obfuscated form. That creates a path for secret theft that may slip past both human reviewers and automated scanners.

The researchers found that the harness—the wrapper around the AI model—had a bigger impact on whether secrets were leaked than the underlying model itself. In practice, the harness (Cursor, Antigravity, Claude Code) decides which files to load, which conventions to trust, what guardrails to apply, and whether to follow instructions buried in an image. As a result, the same model can behave very differently depending on the coding tool that uses it. The model then carries out whatever task the tool presents.

For example, the same model (Claude Sonnet) behaved very differently in different tools. Under Cursor and Antigravity, Sonnet read the PNG, followed the convention, and dutifully recorded the secrets in the source code. But under Anthropic’s Claude Code harness, the same Sonnet model read the same convention and refused, explicitly stating that exfiltrating secrets was inappropriate. Claude Code refused under every model the researchers tested.

How to stay safe

The lesson is that prompt injection is no longer just a text problem. Multimodal inputs like images can also carry instructions that AI agents may obey if the toolchain allows it. Teams should assume that anything a coding agent can read—including images, documents, and other multimodal inputs—could contain attacker-controlled content.

Organizations using AI coding tools should treat this as both a software supply chain and AI agent security issue. The most important defenses are to restrict access to secrets, inspect non-text attachments, and monitor AI agents for unusual attempts to read credentials or config files.

The research also highlights that the coding tool and its permissions are ultimately what make this attack possible, rather than the AI model in isolation.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

About the author

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.