Inside Ghostcommit: How Malicious PNGs Bypass AI Code Reviewers

Reddit r/artificial News

Summary

Ghostcommit is a novel supply chain exploit that uses malicious PNG images containing text instructions to bypass AI code reviewers, leading to data exfiltration from developer environments.

Key takeaways in 90 seconds: Multimodal Vulnerability: Ghostcommit is a novel supply chain exploit targeting AI coding tools with vision capabilities. The Payload Split: The attack uses a two-file payload. A text-based rule file (like AGENTS.md) instructs the AI to read a PNG asset (such as build-spec.png) containing rendered text instructions. Bypassing Reviewers: Automated code review tools (like CodeRabbit) fail to scan the pixels of binary image assets, allowing the malicious pull request to pass security checks. Data Exfiltration: Once merged, the developer's local AI agent reads the image, processes the visual prompt, extracts sensitive .env keys, and encodes them as harmless arrays to leak them. Pipeline Hardening: Mitigate this risk by disabling vision capabilities in automated pipeline agents, sandboxing execution environments, and enforcing strict input boundaries.
Original Article

Similar Articles

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

Hacker News Top

Noma Labs discovered a critical prompt injection vulnerability in GitHub's Agentic Workflows, allowing unauthenticated attackers to exfiltrate data from private repositories by posting a crafted GitHub issue in a public repository of the same organization.

Incident CVE-2026-LGTM

Hacker News Top

A satirical incident report detailing how a malicious package bypassed multiple AI-powered security gates due to various failures, resolved only when the attacker's agent read a file it shouldn't have.

Config Files That Run Code: Supply Chain Security Blindspot

Hacker News Top

Config files for IDEs, AI coding agents, and package managers can execute code automatically, creating a supply chain security blindspot. The article details the Miasma worm attack that uses such config files to drop malware, and provides examples of injection vectors.