A newly disclosed exploit dubbed Ghostcommit conceals rogue instructions inside a PNG file that AI code reviewers skip entirely, then lies dormant until a coding agent later exposes a repository's secrets. For teams running Cursor or similar tools in CI/CD, it's a fresh reason to audit review coverage and secrets handling now — even Claude Code, which refused the attack in testing, shows how much outcomes depend on the surrounding harness.
View the data behind this chart
| No human/bot review | Reviewed | |
|---|---|---|
| Share of merged PRs | %73 | %27 |
What Ghostcommit actually does
The exploit is the work of a team at the University of Missouri-Kansas City's ASSET Research Group — associate professor Sudipta Chattopadhyay and researcher Murali Ediga — who built a proof-of-concept pull request embedding a prompt injection in an image rather than in code or text. A repository's AGENTS.md file, the convention document that coding agents automatically ingest and treat as project policy, links out to a PNG called docs/images/build-spec.png. Buried inside that picture is the actual attack script: instructions telling an agent to open the repo's .env file, work through it byte by byte, convert each byte into an integer, and drop the result into the source as an innocuous-looking module constant.
The payoff is timed to arrive well after the fact. The instructions stay inactive until a completely separate session, when a developer later asks the agent to build something mundane, perhaps a token-tracking module. At that point the agent loads the merged AGENTS.md, chases the link to the image, pulls open .env, and delivers the requested feature with a 'provenance' constant tucked near the top of the file. During one such test, Cursor paired with Claude Sonnet pulled this off on its very first attempt, generating a string of 311 integers that, decoded, reconstructed the entire .env file byte for byte.
Why the review layer missed it
There's nothing clever about the concealment here — the weakness is structural, not technical. The instructions telling the agent to exfiltrate data sit in plain, legible text right inside the image, with no encoding or trickery involved. What defeats reviewers is simply that they treat images as opaque binary data and never open them to check. CodeRabbit's out-of-the-box settings skip image files during review altogether, and Bugbot flagged nothing at all — even after the researchers loaded the PNG with the literal phrase "malicious prompt injection" alongside an explicit command to read .env.
One of the study's clearer findings is that the choice of coding tool mattered more than the choice of underlying model. Both Cursor and the Antigravity platform followed the image's instructions and leaked .env contents when paired with Sonnet, Gemini, and GPT-5.5 alike. Anthropic's Claude Code, given the identical Sonnet model, declined every single time across every model variant tested, explicitly stating its refusal. Under Antigravity, however, Opus initially wrote the secret out before catching on to the manipulation and deleting it before completing the task — proof that the same model can produce opposite results purely because of the harness surrounding it.
The scale of the exposure problem
Ghostcommit exploits a review gap that's already substantial. Examining 6,480 pull requests drawn from the 300 busiest public repositories over a 90-day stretch, the researchers found that 73% of merged PRs made it to the default branch without any meaningful human check and without any bot review whatsoever. That's precisely the pool of repositories where this style of attack thrives — places where AI-driven merges have quietly replaced genuine human oversight.
Traditional secret scanners provide no safety net either, since none of them are built to convert a Python integer tuple back into readable ASCII and match it against known credential formats. An API key sitting in a public commit as a plain list of numbers simply reads as ordinary code to scanners designed around string matching.

What UK infrastructure teams should check now
For teams running AI code-review agents across CI/CD pipelines, the immediate priority is knowing which tool sits between the model and your repository — since the harness, not the model, determined whether secrets leaked in the researchers' tests. Teams should also review whether image and binary assets are genuinely scanned by their review bots, not silently excluded by default configuration, and treat repository .env files and credential stores as high-value assets warranting the same controls as production secrets vaults.
This is fundamentally a data protection question as much as a code-quality one, which makes preventing data loss a practical starting point for scoping the response. Where secrets have already been committed in any form, rotation and audit trails matter far more than after-the-fact detection, since the researchers' own trial showed even a purpose-built multimodal reviewer only caught 79 of 80 test attacks.
- •Verify whether your AI code reviewer actually inspects image and binary assets, or excludes them by default
- •Audit which coding tool (not just which model) sits in your pipeline, since harness behaviour varied by vendor
- •Rotate and re-scan repository secrets stored in .env or similar files across active projects
- •Confirm secret scanners can detect encoded formats, not just plain-text string matches
Backup, resilience and the layered response
The fix the research team built for itself — a multimodal pull request reviewer that examines images alongside code and text — points toward layered defence rather than a single silver-bullet patch. That principle extends beyond code review. Because the theft can surface weeks after the malicious merge, organisations need recovery capability that assumes compromise has already happened rather than relying solely on prevention. Robust critical for robust protection planning, paired with immutable copies of repository and secrets data, gives teams a way back if credentials are exposed before rotation completes.
Firms weighing how to store that recovery data should be considering immutable or air-gapped backup strategies for source repositories and secrets vaults, given how long a Ghostcommit-style payload can sit dormant undetected. Broader controls around zero trust access to credential stores and managed detection & response for anomalous agent behaviour both help close the runtime gap the researchers flagged: watching what an agent does when it reads a file it had no reason to touch, rather than trying to catch the payload before it ships.
