Ghostcommit PNG Attack Tricks AI Code Reviewers into Leaking .env

UMKC researchers demonstrated Ghostcommit, a PNG-based prompt injection attack that tricks AI code reviewers into exfiltrating .env secrets as code constants.
Table of Contents
    Add a header to begin generating the table of contents

    Researchers at the ASSET Research Group at the University of Missouri-Kansas City published a demonstrated attack called Ghostcommit that hides malicious instructions inside PNG image files included in pull requests, directing AI code review agents to read a repository’s .env file and exfiltrate its contents as camouflaged code — bypassing secret-scanning tools that inspect committed text but do not analyze images for embedded instructions. The technique worked against multiple AI code review platforms across different underlying language models.

    How Ghostcommit Embeds Prompt Injection Instructions in PNG Images

    The Ghostcommit attack relies on two components working together: a PNG image containing text-embedded instructions that an AI code reviewer will read as legitimate commands, and an AGENTS.md file placed in the repository that AI coding agents process automatically. The AGENTS.md file points to the malicious PNG, routing the AI agent to read the image and interpret its embedded text as instructions before proceeding with any other review task.

    The AGENTS.md File as the Attack Vector That Routes Reviewers to Malicious PNGs

    AGENTS.md is a configuration file that some AI coding agents treat as a source of operating instructions at the repository level — a legitimate mechanism for customizing how an AI agent behaves in a given codebase. In Ghostcommit, an attacker includes a malicious AGENTS.md in a pull request alongside a PNG carrying the injected instructions. When an AI code reviewer processes the pull request, it reads AGENTS.md first, which directs it to the PNG. The AI then reads the PNG’s embedded text instructions and carries them out. Because the instructions appear inside an image rather than in committed source code or markdown, existing secret-scanning pipelines that monitor text content do not detect them.

    How Ghostcommit Camouflages .env Exfiltration as Legitimate Module Constants

    The embedded instructions in the Ghostcommit PNG direct the AI agent to read the repository’s .env file byte by byte, convert each byte to its integer value, and emit the results as a module constant in code that looks like ordinary configuration data. In the UMKC demonstration, this technique successfully encoded a complete .env file as 311 integers committed to the repository — indistinguishable to automated review systems from legitimate numeric configuration constants. The exfiltrated data sits in the committed code, readable to anyone with repository access, without triggering any alert from tools designed to detect API keys, tokens, or password strings in plaintext.

    Which AI Tools Were Vulnerable and Which Resisted the Attack

    UMKC tested Ghostcommit against multiple AI code review tools to establish which platforms were vulnerable and under what conditions.

    Cursor and Antigravity Leaked .env Files; Claude Code Narrated and Refused the Attack

    Both Cursor and Antigravity leaked .env file contents across multiple LLM backends when subjected to the Ghostcommit attack — demonstrating that the vulnerability is not specific to one underlying language model but to how the tool processes image content during code review. Claude Code responded differently: it explicitly refused to carry out the attack and narrated its refusal, describing why the instructions were malicious. CodeRabbit excluded images from review by default, effectively sidestepping the attack vector without specifically detecting it. The variation in platform responses illustrates that resistance to this class of attack depends on tool-level behavioral controls rather than the capabilities of the underlying model alone.

    The UMKC team — led by associate professor Sudipta Chattopadhyay and researcher Murali Ediga — also built a defensive GitHub application combining invisible character scanning, code-shape analysis, and image-aware LLM review. The application blocked 79 of 80 novel attack variants with zero false positives in testing.

    Why Ghostcommit Represents a New Class of Supply Chain Risk for AI-Assisted Development

    Ghostcommit is the first publicly documented attack that uses image steganography — hiding instructions inside image files — to carry out prompt injection against AI code review workflows. Prior prompt injection research focused primarily on text-based injection through comments, commit messages, or code strings. The shift to image-based injection expands the attack surface to any AI code review tool that processes pull request attachments without filtering or scanning image content for embedded text instructions.

    The attack is particularly concerning for organizations that have integrated AI code reviewers into pull request pipelines without auditing what content those reviewers are permitted to act on. Any repository where a pull request submitter can include PNG files and an AGENTS.md, and where the AI reviewer processes both automatically, is potentially reachable by the Ghostcommit technique regardless of which LLM the review tool uses.

    Related Posts