Viral Wire

Ghostcommit attack hides prompt injection in PNG to steal repository secrets

73% of merged pull requests bypass human review—now attackers exploit that gap with image-based injection.

Deep Dive

Ghostcommit is a novel software supply-chain attack that exploits the trust coding agents place in visual assets. The researchers embedded malicious instructions inside a PNG file, which is referenced by an AGENTS.md file used by AI coding tools (e.g., Copilot, Codex agents). When a developer or automated agent opens the image, the hidden prompt instructs the agent to extract secrets from the repository's .env file, convert them into encoded integers, and write those integers directly into the source code as a new commit. Because the malicious payload lives in a binary image, text-based reviewers see only a benign blip, while downstream agents faithfully execute the injected commands.

To quantify the threat, the team surveyed 6,480 pull requests across the 300 most active public repositories over 90 days. They found that 73% of merged PRs reached the default branch with no substantive human review and no automated bot review whatsoever. This widespread lack of oversight makes Ghostcommit particularly dangerous: a single malicious PR carrying an AGENTS.md that references a poisoned PNG could compromise every repository that trusts the agent's output. The researchers have notified major vendors and published their findings. While no active exploitation has been confirmed, the attack surface is alarmingly large.

Key Points
  • Attack uses a PNG image with hidden prompt-injection instructions, referenced by an AGENTS.md file to target coding agents.
  • Secrets from .env are exfiltrated by encoding them as integers in source code, bypassing text-based review.
  • Survey of 6,480 pull requests found 73% merged without any human or bot review, highlighting the vulnerability's scope.

Why It Matters

Ghostcommit turns AI coding agents into unwitting accomplices, exploiting low review rates to steal secrets at scale.

📬 Get the top 10 AI stories daily