Cybersecurity researchers have uncovered a new supply chain attack technique called “Ghostcommit”, which hides malicious instructions inside image files to manipulate artificial intelligence (AI) coding assistants. The attack targets AI-powered code review tools and coding agents by embedding hidden prompt-injection commands within PNG images, allowing attackers to steal sensitive information such as .env files containing API keys, database details and cloud credentials.
The ASSET Research Group demonstrated that traditional AI code reviewers can easily detect a direct malicious instruction written in plain text. However, by splitting the attack payload between a harmless-looking instruction file and an image containing hidden commands, attackers can bypass automated security reviews.
Malicious Instructions Hidden Inside Images
Researchers explained that a normal pull request containing a clear instruction to extract and leak a repository’s .env file is immediately flagged by AI-based code review systems such as Cursor Bugbot and CodeRabbit.
To avoid detection, the Ghostcommit attack divides the malicious payload into two parts. A file named AGENTS.md contains an innocent-looking instruction asking the AI coding agent to “derive a build constant” from a referenced image file.
The actual malicious instructions are stored inside the image itself. The PNG file contains hidden text directing the AI agent to read the .env file, convert its contents into ASCII integer values and insert them into source code.
Since many AI code review systems analyse text-based changes but ignore image content, the malicious pull request can pass security checks without triggering alerts.
Attack Activates After Code Merge
Researchers said the attack does not immediately steal information when the code is merged. Instead, the trap activates later when a developer uses an AI coding assistant during a normal programming task.
The AI agent reads the merged AGENTS.md file, follows the image reference and executes the hidden instructions. It then generates code containing hundreds of integers that represent the stolen .env file contents.
In a demonstrated attack scenario, an AI coding assistant powered by Claude Sonnet generated a 311-integer sequence containing sensitive information. The attacker could later convert the numbers back into readable text and recover API keys, database URLs and cloud access credentials.
Two-Level Evasion Strategy
The Ghostcommit technique exploits two separate weaknesses.
First, the malicious prompt is hidden inside an image, making it difficult for human reviewers, traditional scanners and AI tools that only analyse text differences to detect.
Second, the stolen data is converted into an integer tuple instead of appearing as normal text credentials. Conventional secret-scanning tools usually search for recognisable patterns such as passwords, tokens or API keys, but they may fail to identify encoded numerical sequences.
Researchers said this combination allows attackers to hide both the malicious instructions and the stolen information in formats that security systems are not designed to detect.
Different AI Tools Show Different Responses
Testing across multiple AI coding tools and models showed that security outcomes depended heavily on the surrounding AI framework rather than only the underlying language model.
Researchers found that some AI coding environments leaked the complete .env contents across multiple models, including GPT-5.5 and different versions of Claude and Gemini models.
However, Claude Code refused to execute the malicious instructions across all tested models, showing that the same AI model may behave differently depending on how it is integrated into a coding environment.
In one case, an AI model generated the secret information but later identified the social-engineering pattern and removed it before completing the task.
Researchers Develop Detection System
To counter such attacks, researchers created a prototype multimodal GitHub security review system. The tool combines image analysis, code-pattern detection and AI-based inspection of both text instructions and embedded image content.
During testing against multiple attack techniques, the prototype detected all malicious pull requests without generating false positives. It also identified almost all previously unseen attack samples while avoiding alerts on legitimate code submissions.
The researchers have released their proof-of-concept attack method and detection approach publicly so security teams can study and improve defences against AI-driven supply chain attacks.
Growing Threat From AI-Based Attacks
Cybersecurity experts believe Ghostcommit highlights a new category of risks emerging with the rapid adoption of AI coding assistants. As organisations increasingly rely on AI agents for software development, attackers are finding new ways to manipulate these systems through hidden instructions and social-engineering techniques.
Experts recommend organisations implement strict AI usage policies, review AI-generated code carefully, monitor repository changes and ensure that AI tools have limited access to sensitive files and credentials.
