#6
BleepingComputer
general
July 11, 2026 at 09:03 UTC
'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets
By Ax Sharma
AI Summary
'Ghostcommit' is a demonstrated prompt injection technique that embeds malicious instructions inside PNG image files to manipulate AI coding agents such as CodeRabbit and Bugbot, which never inspect image content. Researchers showed the attack could instruct a coding agent to read a repository's .env file and exfiltrate all secrets encoded as numbers within the codebase, bypassing AI-based code review entirely.
Relevance score: 75.0/100
Sponsored
Protect Your Business
Expert cybersecurity solutions to safeguard your organization from evolving threats.
Get Protected →