News
Ghostcommit: PNG Image Attack Tricks AI Coding Agents Into Stealing Passwords

Researchers at the University of Missouri-Kansas City described Ghostcommit, an attack that hides malicious instructions inside a PNG image in an AGENTS.md file to trick coding agents into exfiltrating data from .env files. Cursor, Antigravity, Claude Sonnet, and GPT-5.5 fell for it, while Claude Code refused every time.
Contents
The ASSET research team at the University of Missouri-Kansas City has described a new attack on AI coding agents, called Ghostcommit. The technique hides malicious instructions inside a PNG image placed in a repository's AGENTS.md file, tricking the AI assistant into reading a file containing sensitive .env data, encoding it as a list of integers, and writing the result straight into the code, where it slips past secret scanners.
How the attack works
The mechanism exploits a gap in how automated code review tools such as CodeRabbit or Bugbot handle image files. These bots don't open images at all, so malicious text hidden inside a PNG placed in an AGENTS.md file passes through automated review unnoticed. AGENTS.md itself serves in many projects as an instruction file for AI agents, describing the repository's context, so the agent treats its contents, including text embedded in the image, as a trustworthy command.
The instruction hidden in the image tells the agent to read the .env file byte by byte, encode each byte as an integer, and save the result as a module constant in the source code. The attack doesn't trigger immediately; instead it waits until a developer asks the AI assistant to carry out a completely unrelated task, such as writing a helper function or adding a new module. By that point the agent has already absorbed the hidden instructions and, while doing its ordinary work, appends the encoded secrets to the generated code.
Which tools were fooled
The researchers tested the attack on several popular AI-assisted development environments. Cursor, Antigravity, and the Claude Sonnet, Gemini, and GPT-5.5 models could all be induced to carry out the hidden instructions. The exception was Anthropic's Claude Code, which refused to execute the attack across every model configuration tested, a result the researchers say suggests that safeguards built into the tool itself matter more than the choice of language model.
Across ten runs each, the coding tool mattered more than the model - Sudipta Chattopadhyay and Murali Ediga, ASSET Research Group, University of Missouri-Kansas City
The scale of the code review problem
The most troubling part of the study isn't the attack itself but the context in which it could spread. An analysis of 6,480 pull requests across the 300 most active public repositories over the last 90 days found that 73 percent were merged into the main branch without any real review, by either a human or an automated bot. That means a malicious AGENTS.md file with a hidden image could reach many projects almost unnoticed.
The team also built a simple defense based on an extra scanning layer, which in a test on 80 previously unseen pull requests caught all but one attack, with zero false positives across 30 legitimate submissions. That shows the problem can be contained, but it requires deliberately adding another verification layer rather than relying solely on the model's built-in safeguards.
What it means for companies using coding agents
For Polish development teams increasingly relying on AI agents like Cursor or Antigravity for daily work, Ghostcommit is further proof that configuration files meant for agents, such as AGENTS.md, require the same level of scrutiny as source code. Open source repositories that accept outside contributions are especially exposed, since a malicious image can enter a project alongside a seemingly innocuous pull request.
The researchers stress that automated review tools need to become fully multimodal, analyzing images, documentation, and configuration files with the same care as the code itself. If an AI agent can read an image, it also needs to be able to recognize that the image might be trying to manipulate it. A proof of concept for the attack has been published on GitHub, and the findings were disclosed to the makers of the vulnerable tools before publication.
Ghostcommit joins a growing list of techniques that use hidden instructions embedded in multimedia content to attack AI agents, alongside previously documented attacks via poisoned websites and manipulation of the image downsampling process in tools such as Gemini CLI.
Sources: Ghostcommit hides prompt injection in images to fool AI agents, steal secrets (bleepingcomputer.com), Researchers hid a prompt injection inside a PNG, and AI fell for it (digitaltrends.com)


