Ghostcommit: Exposing Secret-Stealing Prompt Injection in Images
Ghostcommit is a proof-of-concept attack demonstrating how agents can be tricked into leaking environment variables via malicious instructions embedded in PNGs. It highlights a critical blind spot in current AI coding assistants and review tools.
Impact: High
Why it matters
Standard PR scanners ignore images; you must implement an image-parsing security layer for your AI coding agents.
TL;DR
- 01AI agents process documentation images, not just text.
- 0273% of public pull requests lack meaningful automated security review.
- 03Implement multimodal scanning to catch prompt injection in visual assets.
The Ghostcommit Vulnerability
Ghostcommit demonstrates that AI agents treat documentation files (like AGENT.md) as authoritative policy. When an agent processes a directory, it may follow an image link pointing to a malicious PNG. The researchers found that coding agents parsed instructions inside these images—specifically orders to read .env files and re-emit secrets as harmless-looking numeric constants—without triggering traditional security alerts.
The Review Gap
In a sample of 6,480 pull requests, 73% reached the default branch with no substantive human or bot review. Most current automated security tools exclude images by default, making them an ideal vector for prompt injection.
Mitigation Strategies
- Multimodal Scanning: Implement a custom GitHub app that uses an LLM to inspect images within PRs.
- Runtime Monitoring: Monitor agents for unusual access patterns, specifically when an agent accesses sensitive configuration files like
.envwithout a clear code-related requirement.
✓ When to use
- Use with caution when agents have file-system access.
- Apply to repositories using automated agent reviewers.
What to do today
- Audit your AGENT.md or convention files for image references.
- Configure your CI/CD to scan image binary content if using autonomous agents.
- Restrict agent access to production .env files.
Sources