Researchers Uncover GhostCommit Technique: A New Threat to Code Security
In a groundbreaking revelation, researchers from the ASSET Research Group have unveiled a new technique known as “GhostCommit,” a sophisticated form of malicious code injection that exploits the existing procedures for reviewing pull requests. This method intricately embeds harmful instructions within images that accompany pull requests, enabling attackers to circumvent conventional text-only AI code reviewers. The implications of this technique are significant, as it poses a serious risk of allowing coding agents to manipulate system behavior and expose sensitive repository secrets.
The ASSET Research Group’s findings emphasize the growing vulnerabilities that arise from the increasing reliance on automated systems for code review. As coding workflows become more AI-assisted, researchers highlighted the widening gap between automated pull request evaluations and the actual threat landscape, leading to potential security holes in many repositories.
In their comprehensive study, the researchers analyzed an impressive total of 64,806 pull requests across 300 active public repositories. Alarmingly, they discovered that a staggering 73% of merged changes were able to reach the default branch without undergoing adequate scrutiny from either human reviewers or automated bots. This lack of oversight creates an environment ripe for abuse.
How GhostCommit Works
The GhostCommit technique initiates with seemingly benign repository files, such as AGENTS.md. Rather than containing overtly harmful content, these files provide instructions for AI coding agents to interpret a PNG image as a “build specification” for generating what is termed a "provenance constant." Within this image lies the actual malicious instruction, obscured from standard review processes.
In detail, this operational model instructs the coding agent to read the repository’s .env file, which contains sensitive information like database credentials or API keys. The agent is directed to convert the contents of this critical file into integer values and integrate these values within the source code. Due to the nature of the PNG file format, conventional diff-based code reviewers and security tools may only recognize it as binary data, thus failing to detect the embedded instructions.
The ASSET researchers demonstrated that while AI code review systems such as Cursor Bugbot and CodeRabbit successfully identified a text-based prototype of this attack—where instructions explicitly directed an agent to encode .env contents as ASCII values—the tactics changed drastically when hidden beneath the veneer of an image. The image-based instructions passed through the review process unnoticed, as CodeRabbit, in its default configuration, does not scan PNG files, leaving a critical vulnerability unaddressed.
The Impact of the Threat
Further analysis indicated that the malicious pull requests not only contained the harmful image but also included a fake validation tool and fabricated incident documentation, which contributed to the legitimacy of its provenance workflow. This deceptive tactic enabled the pull request to bypass coherence checks that are typically designed to flag suspicious or unsupported repository activities.
Once a malicious pull request is merged into the repository, the attack vector becomes active. In subsequent development sessions, the AI coding agent may read the repository’s instruction files, invoke the image, and unwittingly follow the embedded instructions while producing unrelated code. The outcome could result in a source file containing a tuple of integers representing sensitive values from the .env file, which malicious actors might later decode from a public commit to retrieve crucial secrets like API keys and cloud access tokens.
Moreover, this method is particularly insidious as it effectively evades standard secret-scanning tools. The credentials no longer exist in recognizable string formats; instead, they manifest as a series of numeric values, necessitating conversion to bytes for detection, making it challenging for conventional security measures to identify breaches.
Testing conducted by the researchers revealed significant variances in how different coding environments responded to the image-based instructions. Some coding tools appeared capable of executing these malicious instructions, inserting intentionally seeded test secrets into the source code. Interestingly, tools like Claude Code, employing certain underlying model families, displayed the capability to refuse these harmful instructions.
The researchers pointed out that disparities in outcomes suggest that several factors—including the agent harness involved, system prompts, tool permissions, and inherent safety controls—play pivotal roles in safeguarding against such indirect prompt injections.
Recommendations for Organizations
To address these newly highlighted risks, the ASSET Research Group recommends adopting a multimodal approach to pull request reviews. This would involve analyzing instruction files, scrutinizing source code patterns, checking for invisible characters, and examining any text embedded within images. Organizations are encouraged to treat images and other non-text assets as potential vehicles for harmful instructions. Moreover, they should implement human review protocols for changes to repository policies, restrict agent access to sensitive information, and conduct thorough scans of encoded data prior to its deployment in public repositories.
As the cybersecurity landscape continues to evolve, developing a robust defense mechanism against emerging threats like GhostCommit is essential for protecting valuable code assets from the ever-present risk of malicious exploitation.
