Ghostcommit: PNG prompt-injection makes AI agents leak repository secrets

Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. The instruction to steal your .env lives inside a PNG. The demonstration team placed the exploit in an image so text-based reviewers treat the file as a binary blob while downstream coding agents later open the picture, follow its instructions, access repository secrets and emit those secrets into source as encoded integers. In a related survey the authors wrote we surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. News outlets reported the disclosure and vendors were notified.
Multiple reporting outlets and the original ASSET Research Group writeup describe a demonstration called Ghostcommit. Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. The instruction to steal your .env lives inside a PNG. The ASSET team built a pull request in which an image contains an explicit instruction to read the repository .env and encode it as integers; text-based reviewers treat images as opaque while downstream coding agents can open them and execute the concealed directive. The authors also stated we surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. Independent technology outlets summarized the demonstration and confirmed the researchers reported their findings to affected vendors.
Key Points
- 1Ghostcommit places executable prompt instructions in an image referenced by project policy so code agents may act on concealed directives automatically.
- 2Researchers reported that 73% of merged pull requests in a 300-repository sample reached the default branch without substantive human or bot review.
- 3The authors built a prototype multimodal reviewer, disclosed findings to vendors, and multiple independent outlets reported on the Ghostcommit demonstration.
Scoring Rationale
The article summary and source materials include three central excerpts used to rate impact and verification: Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. The instruction to steal your .env lives inside a PNG. The ASSET writeup also reports we surveyed 6,480 pull requests across the 300 most active public repositories of the last ninety days, and 73% of the ones that got merged reached the default branch with no substantive human review and no bot review at all. Independent news reports corroborate the demonstration and vendor disclosure.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems