Skip to content
ATAI Today Brief
HomeNewsConceptsGuidesToolbox
AboutSubscribeUA
Subscribe

AI Today Brief

The daily AI-engineering brief. Built in public. EN · UA.

XTelegramLinkedInYouTubeRSS
NewsConceptsGuidesSubscribeAdvertiseAboutEditorial policyAI disclosurePrivacyTerms

© 2026 AI Today Brief. All rights reserved.

  1. Home/
  2. News/
  3. Agents & MCP/
  4. Ghostcommit: Exposing Secret-Stealing Prompt Injection in Images
Agents & MCP

Ghostcommit: Exposing Secret-Stealing Prompt Injection in Images

July 11, 2026· 4 min read
OKCurated by Oleksandr Kuzmenko, AI Product Engineer·Updated July 11, 2026·Sources cited on every story
AI-assisted · editor-reviewed·How we use AI
Ghostcommit: Exposing Secret-Stealing Prompt Injection in Images

Ghostcommit is a proof-of-concept attack demonstrating how agents can be tricked into leaking environment variables via malicious instructions embedded in PNGs. It highlights a critical blind spot in current AI coding assistants and review tools.

Impact: High

Why it matters

Standard PR scanners ignore images; you must implement an image-parsing security layer for your AI coding agents.

TL;DR

  • 01AI agents process documentation images, not just text.
  • 0273% of public pull requests lack meaningful automated security review.
  • 03Implement multimodal scanning to catch prompt injection in visual assets.

The Ghostcommit Vulnerability

Ghostcommit demonstrates that AI agents treat documentation files (like AGENT.md) as authoritative policy. When an agent processes a directory, it may follow an image link pointing to a malicious PNG. The researchers found that coding agents parsed instructions inside these images—specifically orders to read .env files and re-emit secrets as harmless-looking numeric constants—without triggering traditional security alerts.

The Review Gap

In a sample of 6,480 pull requests, 73% reached the default branch with no substantive human or bot review. Most current automated security tools exclude images by default, making them an ideal vector for prompt injection.

Mitigation Strategies

  • Multimodal Scanning: Implement a custom GitHub app that uses an LLM to inspect images within PRs.
  • Runtime Monitoring: Monitor agents for unusual access patterns, specifically when an agent accesses sensitive configuration files like .env without a clear code-related requirement.

✓ When to use

  • Use with caution when agents have file-system access.
  • Apply to repositories using automated agent reviewers.

What to do today

  • →Audit your AGENT.md or convention files for image references.
  • →Configure your CI/CD to scan image binary content if using autonomous agents.
  • →Restrict agent access to production .env files.
#Claude Code#Cursor#Gemini#GPT-5.5

Sources

  • 'Ghostcommit' hides prompt injection in images
ShareShare on XShare on LinkedIn
← Previous storyGrok 4.5 Tops Perplexity WANDR Orchestrator Benchmark at Half the Cost of OpusNext story →Micro-Optimizing Sorting Networks in C++ for Performance

Related stories

  • Agents & MCPExploring System Prompts of Claude, ChatGPT, Gemini, and Specialized AI Agents
  • Agents & MCPGrok 4.5 Tops Perplexity WANDR Orchestrator Benchmark at Half the Cost of Opus
  • Agents & MCPAI-Powered Job Application Framework Using Claude Code
  • Agents & MCPArchitectural Security for Agentic Systems: Guiding Identity, Delegation, and Audit Trails

Email digest

Get the morning AI brief

One email a day — the stories that matter for engineers, founders and tech leads. Human-edited, with links to primary sources.

  • ✓120+ sources scanned daily
  • ✓Edited by a human
  • ✓1 email per day
  • ✓EN + UA

By subscribing you agree to the privacy policy.