```html ``` Ghostcommit Hides the Attack in a PNG Your AI Reviewer Never Opens. It Robbed Cursor and Bugbot of Repo Secrets. Claude Code Read the Same Image and Refused.
top of page

Ghostcommit Hides the Attack in a PNG Your AI Reviewer Never Opens. It Robbed Cursor and Bugbot of Repo Secrets. Claude Code Read the Same Image and Refused.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 hour ago
  • 4 min read

Here is the newest way to rob a codebase, and its cleverness is that it hides in the one place your automated reviewer refuses to look. Researchers call it Ghostcommit, and it is the third time in eleven days we are writing the same underlying story: the AI agent gets fooled by a blind spot in how it reads the world, and the tell is whether the model understands what it is actually looking at. This time the blind spot is an image file, and — for once, and worth saying plainly — the agent that held the line was the one we build on.



How it works


Ghostcommit is a pull-request attack from the University of Missouri-Kansas City's ASSET Research Group — associate professor Sudipta Chattopadhyay and researcher Murali Ediga, who shared it with BleepingComputer and published a proof-of-concept this week. The mechanism is almost insultingly simple, which is what makes it good.


An attacker opens a pull request that includes a PNG image. Inside that PNG, in plain readable text, sit malicious instructions. When an AI code reviewer evaluates the pull request, it does what AI code reviewers do with images: it skips them. Reviewers are tuned to read diffs, not to open and inspect picture files, so the reviewer waves the change through without ever seeing the payload. The malicious instruction is not hidden by encryption or steganography — it is hidden by the reviewer's own habit of not looking.


Then the second stage. Later, a coding agent working in that repository reads the image — and this one does open it — finds the instruction, opens the repository's .env file, and writes every secret inside it into the source code, disguised as a harmless-looking list of numbers. The keys walk out the front door dressed as data. The researchers demonstrated it working against Cursor and Bugbot, two widely used AI coding tools, and released a multimodal defense that inspects images, conventions, and agent behavior alongside the disclosure.



The part that matters to us


We have said, repeatedly, that the entire modern AI-agent attack surface lives in the gap between what a file appears to be and what it actually contains — and that the agents which survive are the ones that read the thing the way the machine will, not the way it looks. On July 1 we wrote about Adversa AI fooling ten of eleven coding agents with shell tricks older than their users, and the one that held did so by parsing the command the way the shell would. Ghostcommit is that same lesson wearing an image instead of a bash string.


And here is the result the researchers reported, which we are going to state flat because it is true and because we told you the other side of it just yesterday: Anthropic's Claude Code read the same image, recognized the instruction for what it was, and refused — under every model they tested, narrating an explicit refusal.


We do not get to only quote the wins. On July 10 we published GhostApproval, where Claude Code was on the affected list and Anthropic disputed that it was a bug at all — and we said so, plainly, with the criticism intact. So when the very next day the same tool is the one that reads a poisoned image and declines, that carries weight precisely because we did not flinch the day before. Different attack, different result, both reported straight. That is the whole value of a threat intel shop you can trust: it tells you when your vendor failed and when it held, and it does not let the partnership bend the finding either direction.



What to do


If your team runs AI code review — Cursor, Bugbot, or anything that auto-approves pull requests — assume image files are an unreviewed channel into your repository, because they are. Treat a PNG in a PR the way you would treat an executable attachment in an email from a stranger. Concretely: do not let a code-review agent approve a change that adds or modifies binary/image assets without a human opening those assets; scope coding agents so they cannot read repository secrets into source in the first place (the .env should not be reachable by the agent that writes code); and run untrusted pull requests in an isolated environment where there are no live keys to steal. The UMKC team's multimodal defense is the right shape — inspect what the reviewer would otherwise skip.


Held to about ninety-five percent. The research, the proof-of-concept, and the defense are the UMKC ASSET Research Group's, and it is sharp work. What we add is the through-line: three times in eleven days, a decades-old-or-dead-simple trick has walked through the best AI agents on the market, and the one constant is that resistance comes from a model actually comprehending its input — not from a filter bolted on after. Yesterday that cut against the tool we use. Today it cut for it. We will keep reporting it whichever way it lands.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page