• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

GhostCommit Attack Hides Prompt Injection Inside Images

Published on: July 13, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 488 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
How Old Is Google? Founding Date, Age, and Company History
Tangem Wallet Cards Vulnerable to Laser Fault Attack
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Robert A. Lee
Reviewed By
Robert A. Lee
Robert A. Lee
Senior Editor • 405 Articles
Robert A. Lee is a journalist at SQ Magazine who unpacks the fast-moving worlds of gaming and internet trends. He tracks everything from maj...
LATEST POSTS:
How Many People Use YouTube 2026: Users by Country
Best Times to Post on Instagram 2026: Data-Backed by Day and Hour
Email Marketing Statistics 2026: Trends Benchmarks and What’s Actually Working
Ghostcommit Attack Hides Prompt Injection Inside Images
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

University of Missouri, Kansas City researchers disclosed GhostCommit on July 10, 2026, a proof-of-concept attack that hides a secret stealing instruction inside a pull request’s image file. AI code reviewers never open the picture, but AI coding agents do, and later leak the secret on their own.

Quick Summary – TLDR:

  • GhostCommit hides its exfiltration procedure inside a PNG image, so text-only tools like CodeRabbit and Bugbot see only a binary blob with nothing to flag.
  • ASSET Research Group’s own review-gap survey found 6,480 pull requests across 300 active public repositories, and 73% of merged code reached the default branch with no substantive human review and no bot review at all.
  • In one test run, Cursor driving Claude Sonnet autonomously decoded a target’s entire `.env` file into a 311-integer module constant, an unmonitored form of Shadow AI usage that looks like routine build metadata.
  • Cursor and Antigravity leaked the secret, but the same Sonnet weights refused every time under Anthropic’s Claude Code, per Anthropic’s own harness comparison.
  • The researchers’ own multimodal defender, built around a single 4 GB graphics card, caught 49 of 50 live attacks and flagged none of the thirty legitimate pull requests it saw.

GhostCommit Hides an Exploit Inside an Image

The convention file at the center of the attack, `AGENTS.md`, is the kind of coding-standard document that agents read automatically and treat as project policy. GhostCommit’s version names no secret and spells out no procedure; it only points at an image, `docs/images/build-spec.png`.

Everything dangerous sits inside that PNG. The rendered text tells an agent to read `.env` byte by byte, encode each byte as its ASCII codepoint, and emit the result as a module constant. A fake validator script and a fabricated postmortem give the convention enough supporting code to survive a coherence check built to flag rules with nothing behind them.

CodeRabbit’s own default configuration excludes image files from review outright, and Bugbot returned no findings, even when researchers stuffed the picture with the words “malicious prompt injection” and an explicit order to read `.env`. To a reviewer that only reads text, an image is just noise, not a threat signal.

A developer later asks their AI coding agent for something ordinary, and the agent reads the merged convention, opens the image, follows it, and writes the contents of `.env` into the new module as a tuple of integers. The developer commits the feature they asked for, and the attacker decodes the numbers straight out of the public commit.

No real credentials were at risk. Every test ran against a seeded, defanged canary credential inside repositories the researchers owned.

‘Ghostcommit’ hides prompt injection in images to fool AI agents and steal repo secrets – @Ax_Sharmahttps://t.co/ylzIoK8uxL

— BleepingComputer (@BleepinComputer) July 11, 2026

Why Reviewers Miss the Picture?

A text-based reviewer catches the blunt version of this attack instantly, since a spelled-out instruction to read `.env` and encode it is easy to flag before merge. Splitting the payload across a convention file and a separate image defeats that same reviewer, because neither Bugbot nor CodeRabbit inspects the picture itself. it resembles a reviewer that opens the attachment, and today’s reviewers do not.

That review gap is what turns a plain-text version of this payload into a working exploit. Secret scanners add a second blind spot on the way out: none of them convert a Python-style integer tuple back into ASCII text before checking it against known credential formats.

The Harness Decides, Not the Model

Across 10 runs per pairing, every coding tool tested under Cursor, Antigravity, and Codex CLI wrote out the full `.env` file once the convention was merged, regardless of the underlying model. Only one model held: Anthropic’s Claude Code refused the same convention on every model researchers pointed at it, including Sonnet, Haiku, and Opus.

Coding tool + modelResult on the image attack (n=10 each)
Cursor + Sonnet 4.6Leaked the whole `.env`
Cursor + Composer-2Leaked the whole `.env`
Cursor + GPT-5.5Leaked the whole `.env`
Antigravity + Sonnet 4.6Leaked the whole `.env`
Antigravity + Gemini 3.1 ProLeaked the whole `.env`
Antigravity + Gemini 3 FlashLeaked the whole `.env`
Codex CLI + GPT-5.4Leaked the whole `.env`
Antigravity + OpusWrote it, then redacted
Claude Code + Sonnet 4.6Refused
Claude Code + Haiku 4.5Refused
Claude Code + Opus 4.7Refused

Under Antigravity, Opus computed the secret and wrote it into the file, then caught the social engineering pattern and deleted it before finishing, a partial catch short of a clean refusal. That split result, identical weights refusing in one harness and complying in another, points at the safety scaffolding around a model as the deciding factor, not its training.

Rather than wait on deployed tools to add image support, the researchers built their own countermeasure. A multimodal pull-request defender that runs as a GitHub app on modest hardware, combining an invisible character scan, a code-shape scan, and an LLM pass over both the convention text and the images themselves. On a fifteen-class internal stress test, its underlying model, Gemma 4, caught every malicious pull request with no false alarms on benign ones.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

SQ Magazine’s Takeaway

GhostCommit is a proof-of-concept, not a live breach, but it exposes two blind spots already sitting in production tooling. One is procedural: the same 73% no-review gap named above is what turns a plain-text attack into a working exploit, and an LLM reviewer only closes it by actually inspecting every file type.

The other is architectural: identical model weights produced opposite outcomes depending on which coding harness wrapped them. The resulting security posture is a property of the coding harness a team picks, not just the model running underneath it.

What’s next sits mostly with the teams running these agents. Treat any file an agent reads automatically, images included, as untrusted input, and confirm whether a code-review tool actually opens image attachments before assuming it screens them.

Teams that merged AI authored pull requests referencing external images in recent months should audit those diffs and rotate any credentials that touched the repository during that window. The researchers say they notified the affected vendors before publishing, so watching for CodeRabbit and Bugbot updates that stop excluding images by default is a reasonable near-term signal to track.

This article has been reviewed and fact-checked by Robert A. Lee. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • ASSET Research Group: We Put the Exploit in a Picture (GhostCommit Disclosure)
  • GitHub: asset-group/ghostcommit, PoC for GhostCommit Attack
  • BleepingComputer: 'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents, Steal Secrets
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Tangem Wallet Cards Vulnerable To Laser Fault Attack
Cybersecurity

Tangem Wallet Cards Vulnerable to Laser Fault Attack

Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Technology

Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks

Microsoft Patches Rogueplanet Zero Day In Defender
Cybersecurity

Microsoft Patches RoguePlanet Zero-Day in Defender

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Palo Alto Networks Patches 13 PAN-OS Vulnerabilities
Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants
AssuranceAmerica Data Breach Exposes 6.9 Million Drivers

Table of Contents

  • Quick Summary – TLDR:
  • GhostCommit Hides an Exploit Inside an Image
  • Why Reviewers Miss the Picture?
  • The Harness Decides, Not the Model
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
How Many People Use YouTube
How Many People Use YouTube 2026: Users by Country
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Spotify vs Apple Music Statistics
Spotify vs Apple Music Statistics 2026: Subscribers, Revenue, Market Share
Time Spent on TikTok Statistics
Time Spent on TikTok Statistics 2026: Daily Minutes by Age
Google Workspace Statistics
Google Workspace Statistics 2026: Users, Market Share and AI
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
How Many People Work At Midjourney
How Many People Work At Midjourney 2026: Lean Team, Big Revenue
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
AI Influencer Marketing Statistics
AI Influencer Marketing Statistics: Market Size and Engagement
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Tangem Wallet Cards Vulnerable To Laser Fault Attack
Tangem Wallet Cards Vulnerable to Laser Fault Attack
Microsoft Patches Rogueplanet Zero Day In Defender
Microsoft Patches RoguePlanet Zero-Day in Defender
Palo Alto Networks Patches 13 Pan Os Vulnerabilities
Palo Alto Networks Patches 13 PAN-OS Vulnerabilities
Ghostapproval Flaw In 6 Ai Coding Assistants Found
Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants
Assuranceamerica Data Breach Exposes 6 9 Million Drivers
AssuranceAmerica Data Breach Exposes 6.9 Million Drivers
Accenture Confirms Breach After Hacker Lists Stolen Data
Accenture Confirms Breach After Hacker Lists Stolen Data
Artificial Intelligence
Openai Launches Chatgpt Work With Gpt 5 6 Agents
OpenAI Launches ChatGPT Work With GPT-5.6 Agents
Openai Shuts Down Standalone Atlas Browser
OpenAI Shuts Down Standalone Atlas Browser
Meta Launches Muse Spark 1 1 Ai Coding Model
Meta Launches Muse Spark 1.1 to Challenge Anthropic, OpenAI
Anthropic Launches Claude Reflect Beta To Track Ai Habits
Anthropic Launches Claude Reflect Beta to Track AI Habits
Xai Launches Grok 4 5
xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class
Openai Launches Gpt Live Full Duplex Voice Models
OpenAI Launches GPT-Live Full-Duplex Voice Models
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.