'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets
Researchers have built a pull request that steals a repository's secrets by hiding the malicious instruction inside a PNG that AI code reviewers never open.
Researchers have built a pull request that steals a repository's secrets by hiding the malicious instruction inside a PNG that AI code reviewers never open.
The reviewer waves the change through. Later, a coding agent reads the picture, opens the repo's .env, and writes every key into the source as a harmless-looking list of numbers.
How 'Ghostcommit' works
The attack is joint work from the University of Missouri-Kansas City's ASSET Research Group, by associate professor Sudipta Chattopadhyay and researcher Murali Ediga, who shared it with BleepingComputer.