All articles
2 min read

'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets

AI systems face novel covert attacks, mandating evolving defense strategies against sophisticated prompt injection.

  • cyber
  • threat-intelligence
  • defense
Abstract cyber defense illustration for 'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets

This isn’t really an AI security story. It’s a secrets management story with an AI agent as the accomplice.

The headline is about a clever new attack, but the lesson is about a boring, old system failure.

What happened

Researchers figured out how to hide malicious prompts inside a PNG file. They used this “Ghostcommit” technique to trick AI code review tools like CodeRabbit and Bugbot, which weren’t looking for instructions inside images. The compromised AI agent then did what it was told: it read secrets from a .env file and pasted them right into the codebase for exfiltration.

Where the story gets useful

The easy takeaway is that we need better AI-aware content scanners. That’s true, but it misses the point. The interesting part is not the clever prompt injection. This is really an ownership and permissions problem.

Let’s ask the real questions.

Why could an automated code review tool read a .env file in the first place? And why did it have permissions to commit code containing exfiltrated secrets?

That’s not an AI problem. That’s a classic, boring failure of least privilege. The AI agent is just the tool that exploited the underlying weakness. If a human developer with the same over-privileged access did this, we’d call it an insider threat and review our IAM policies. The fact that an AI did it doesn’t change the root cause.

If nobody owns the agent’s identity and its permissions, nobody owns the risk. The dashboard for the shiny AI tool is not the control.

What to watch next

The question isn’t whether attackers will start using Ghostcommit in the wild. The question is whether your team can prove your automated agents can’t do this.

Forget the fancy attack vector for a minute and go back to basics. Can you inventory every service principal in your CI/CD pipeline? Can you prove what secrets they can read?

This is less about chasing the next novel exploit and more about validating that your controls actually work. The real signal to watch is whether teams use this as a fire drill to audit service account permissions, or just add it to a threat briefing slide and move on.


Source: ‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

Tony Muzo

Cybersecurity analyst focused on threat intelligence, incident response, and security automation. More about me