A newly discovered attack technique called Ghostcommit demonstrates how attackers can hide malicious instructions inside ordinary image files to trick AI-powered coding assistants into exposing confidential information.
According to researchers, the attack targets AI code review systems and coding agents by embedding hidden prompt-injection commands inside PNG images instead of text files, making the attack significantly harder to detect.
Hidden Instructions Stored Inside Images
Researchers found that the attack splits its malicious payload into two components.
The first component is an innocent-looking instruction file that simply asks an AI coding assistant to read a referenced image.
The second component is a PNG image containing hidden text instructions directing the AI to:
- Read sensitive .env files
- Extract API keys
- Access database credentials
- Collect cloud authentication secrets
- Encode the stolen information into source code
Because many AI review tools inspect only text-based changes, the hidden image instructions often escape detection.
Attack Begins After Code Merge
Researchers explained that the malicious code does not activate immediately.
Instead:
- The pull request passes review.
- The code is merged into the repository.
- A developer later uses an AI coding assistant.
- The AI reads the hidden image instructions.
- Sensitive information is extracted.
- The AI unknowingly inserts encoded secrets into generated code.
In one demonstration, an AI assistant generated more than 300 encoded integers representing confidential environment variables.
Attackers could later decode these numbers to recover API keys, cloud credentials and database connection details.
Two Layers of Evasion
Ghostcommit is designed to bypass multiple security controls.
Researchers identified two primary evasion techniques:
- Hidden prompt injection stored inside image files instead of plain text.
- Sensitive data converted into numerical values instead of readable credentials.
Traditional secret-scanning tools typically search for recognisable passwords, tokens and API keys, making encoded numerical sequences far less likely to be detected.
AI Tools Responded Differently
Researchers tested multiple AI coding environments using different large language models.
The study found:
- Some AI environments leaked sensitive data.
- Certain GPT and Claude integrations followed the malicious instructions.
- Some Gemini-based implementations were also affected.
- Claude Code consistently refused to execute the hidden commands during testing.
The findings indicate that security depends not only on the underlying AI model but also on how developers integrate and secure the coding environment.
New Detection System Developed
Researchers also introduced a prototype security system capable of detecting these attacks.
The system combines:
- Image analysis
- Code inspection
- Prompt-injection detection
- AI-assisted security review
- Embedded content scanning
According to the researchers, the prototype successfully detected all known Ghostcommit attack samples during testing without producing false alarms.
Why This Matters
As organisations increasingly adopt AI-powered software development tools, attackers are beginning to target AI workflows instead of traditional software vulnerabilities.
Ghostcommit highlights emerging risks involving:
- AI coding assistants
- Software supply chains
- Prompt injection
- Hidden multimedia payloads
- Credential theft
- Repository compromise
Security teams may need to rethink existing code review practices to include inspection of embedded image content and AI-generated outputs.
Best Practices for Organisations
Cybersecurity experts recommend organisations:
- Restrict AI access to sensitive files.
- Review AI-generated code before deployment.
- Scan image files used within repositories.
- Monitor unusual code generation patterns.
- Implement AI-specific security policies.
- Limit repository permissions using least-privilege access controls.
Conclusion
Ghostcommit represents a new generation of AI-focused cyber threats that exploit hidden instructions embedded within image files rather than traditional malicious code.
As AI coding assistants become increasingly integrated into software development, organisations will need stronger security controls, multimodal scanning capabilities and careful human oversight to defend against emerging prompt-injection attacks.
Shunyatax Global Insight
Shunyatax Global says that AI security is rapidly becoming a board-level cybersecurity issue. Organisations adopting AI coding assistants should treat AI agents as privileged users by limiting repository permissions, restricting access to sensitive credentials, enabling continuous security monitoring and implementing human review for all AI-generated code before production deployment.