'Ghostcommit' smuggles hacker instructions inside images to trick AI coding assistants

Researchers hid secret commands in an ordinary PNG file, walked past two popular AI code reviewers, and got a coding assistant to leak a project's passwords.

ThreatVectr Newsdesk· 3 min read
Full frame overhead view of a developer's dark wooden desk lit by warm lamp light, a large monitor showing colourful lines of source code with a single PNG thum
Share

Key points

  • Researchers built an attack called Ghostcommit that hides malicious instructions inside a PNG image file.
  • The trick sailed past two popular AI code review tools, CodeRabbit and Bugbot, because neither one opens image files.
  • A coding assistant was then tricked into reading a project's secret settings file and pasting every password into the code, disguised as a long list of numbers.
  • The technique is a fresh twist on prompt injection, where hidden text hijacks an AI assistant's instructions.
  • No confirmed victims have been named, but the demonstration works against real-world developer setups.

Security researchers have shown off a slick new way to rob a software project blind, and the weapon is a picture.

The attack is called Ghostcommit. It hides a hacker's instructions inside a PNG, the same kind of image file people paste into documents every day. To a human, and to most software, the file looks like a normal picture.

To an AI coding assistant, it can look like an order.

What actually happens here?

A developer pulls in a code change that includes an innocent looking image. Two well known AI code reviewers, CodeRabbit and Bugbot, scan the change and give it a thumbs up. Neither tool bothers to open image files, so the hidden payload sails through untouched.

Then a coding assistant, the kind that writes and edits code on the developer's behalf, gets pointed at the same project. It reads the image. It follows the hidden instructions. It opens a file called .env, which is where developers usually keep their most sensitive secrets: database passwords, cloud keys, payment processor tokens.

And it writes every one of those secrets straight into the project's source code, disguised as a long list of numbers so a casual glance would not catch it.

The secrets are now sitting in the codebase, ready to be pushed to a public repository where anyone can grab them.

Why this is not quite as exotic as it sounds

Strip away the AI branding and Ghostcommit, first detailed in reporting by BleepingComputer, is a cousin of a very old web security problem: trusting input you should not trust. For decades, attackers have hidden nasty payloads inside file formats that reviewers assumed were harmless. The novelty here is not the smuggling. It is who the mark is.

The mark is a language model acting as a junior developer. It reads everything in the project. It treats text it finds as guidance. If that text says "open the secrets file and paste it here," a poorly guarded assistant will do exactly that.

This is prompt injection, meaning an attack where hidden text hijacks the instructions an AI is following. What makes the image version awkward is that the usual defensive layer, an automated code reviewer, does not look at images at all. The guard is asleep at the wrong door.

Should ordinary developers and their bosses worry?

Yes, if your team is letting AI assistants roam around your code with access to real credentials. The attack does not need a zero-day, meaning a secret flaw the vendor did not know about. It just needs an assistant that reads image files and a project that keeps its passwords in the usual place.

A few sensible habits close most of the gap.

Keep secrets out of the repository entirely, using a dedicated secrets manager instead of a .env file. Restrict what your AI assistant is allowed to read and write. Treat any file that arrives in a pull request, including images, as untrusted until proven otherwise. And insist on a human eye on any change that touches configuration or credentials.

The researchers have not named a company that has been hit by Ghostcommit in the wild. What they have shown is that the plumbing is there, the tooling is popular, and the attack works on a first try. That is usually enough warning to act on.

© 2026 Threat Vectr