Researchers demonstrate 'Ghostcommit' attack exploiting AI code review blind spots
A new attack method called 'Ghostcommit' exploits vulnerabilities in AI-assisted code review processes by hiding malicious instructions within PNG image files. Developed by researchers at the University of Missouri-Kansas City, the technique bypasses automated security checks by embedding exfiltration commands in images referenced by project documentation files.
The attack works by inserting a pointer to an image containing hidden text instructions in a project's AGENTS.md file. When an AI coding agent later reads this file during routine operations, it follows the image reference and executes the embedded commands - typically to extract and encode sensitive environment variables. Researchers found 73% of pull requests in top repositories merge without substantive human or bot review, making this attack particularly effective.
Notably, the vulnerability stems more from tooling design than AI model flaws. Testing showed coding tools like Cursor and Antigravity leaked data across multiple AI models, while Claude Code consistently refused the malicious instructions regardless of model. The researchers developed a multimodal GitHub app defense that scans both text and images, catching 79 of 80 test attacks without false positives.
The findings highlight growing security challenges as AI agents handle more development tasks. While steganographic attacks aren't new, this implementation exposes critical gaps in current code review workflows that treat images as opaque binary data rather than potential attack vectors.
- Attack embeds malicious instructions in PNGs that bypass text-based code reviews
- Exposes structural blind spot in current AI-assisted development tooling
