Researchers disclosed Ghostcommit, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an AGENTS.md file, allowing malicious pull requests to appear benign during review. In the demonstrated scenario, AI code reviewers such as Cursor Bugbot and CodeRabbit did not meaningfully inspect image content, so the pull request could be merged even though the real instructions were concealed in the image rather than visible text.
After merge, the attack is triggered when a developer later asks a coding agent to perform a routine task and the agent reads the hidden image instructions, accesses repository secrets such as the .env file, encodes the contents as integer tuples, and inserts them into source code in a way that can evade typical secret scanners. Researchers from the University of Missouri-Kansas City's ASSET Research Group said exploitation depended more on the coding harness than the underlying model, with Cursor and Antigravity leaking secrets across multiple models while Claude Code consistently refused; they reported the issue to vendors and built a multimodal GitHub review app that detected nearly all tested variants, including image-based attacks, with no false positives in their evaluation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The researchers built a prototype multimodal GitHub review app to inspect images and related signals; in testing, it reportedly blocked or detected nearly all Ghostcommit attack variants with no false positives in the reported evaluation or live trial.
The researchers disclosed their Ghostcommit findings to affected vendors following their investigation.
In testing, the researchers found exploitation outcomes depended more on the coding tool or harness than the underlying model: Cursor and Antigravity leaked secrets across multiple models, while Anthropic's Claude Code consistently refused.
Researchers from the University of Missouri-Kansas City's ASSET Research Group demonstrated Ghostcommit, a proof-of-concept supply-chain attack that hides malicious instructions in a PNG referenced by AGENTS.md so AI code reviewers miss them and coding agents later leak repository secrets such as .env contents.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcegithub.com
Open sourceasset-group.github.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.