
Cybersecurity researchers have identified a new supply chain attack technique called Ghostcommit, which hides malicious instructions inside PNG image files to manipulate AI coding assistants and steal sensitive information.
The attack targets AI-powered code review tools and coding agents by embedding hidden prompt-injection commands within image files. These instructions can trick AI tools into accessing and exposing confidential data, including .env files containing API keys, database details, and cloud credentials.
Researchers from the ASSET Research Group found that AI code review systems can easily detect malicious instructions written in plain text. However, Ghostcommit bypasses these checks by splitting the attack into 2 parts. A file named AGENTS.md contains a harmless-looking instruction asking the AI agent to derive a build constant from a referenced image, while the actual malicious commands are hidden inside a PNG file.
The hidden instructions direct the AI coding assistant to read the .env file, convert its contents into ASCII integer values, and insert the encoded data into the source code. Since many AI code review tools examine only text-based changes and ignore image content, the malicious pull request can pass security reviews without raising alerts.
Researchers explained that the attack becomes active only after the code is merged and a developer later uses an AI coding assistant. In one demonstration, an AI assistant powered by Claude Sonnet generated a sequence of 311 integers representing sensitive data, which attackers could later decode to recover API keys, database URLs, and cloud credentials.
The researchers said Ghostcommit exploits 2 weaknesses. First, the malicious instructions remain hidden inside an image, making them difficult for human reviewers, traditional scanners, and AI tools focused on text to detect. Second, the stolen data is encoded as numerical values instead of readable credentials, allowing it to bypass many secret-scanning tools.
Testing across multiple AI coding environments showed that security depended more on the AI framework than the underlying language model. While some environments leaked complete .env contents using models including GPT-5.5, Claude, and Gemini, Claude Code consistently refused to execute the hidden instructions.
To address the threat, researchers developed a prototype multimodal GitHub security review system that combines image analysis, code-pattern detection, and AI-based inspection of both text and embedded image content. During testing, the system detected all malicious pull requests without generating false positives.
The researchers have publicly released both the proof-of-concept attack and the detection method to help security teams strengthen defenses against AI-driven supply chain attacks. Experts recommend organizations enforce strict AI usage policies, carefully review AI-generated code, monitor repository changes, and restrict AI tools’ access to sensitive files and credentials.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.

