Ghostcommit PNG-embedded prompt injection against AI code reviewers
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated Ghostcommit, a PNG-embedded prompt-injection technique that can bypass AI code review and leak .env secrets into committed source. The payload hides inside docs/images/build-spec.png instead of plain text, so text-only reviewers miss the instruction while a later coding agent follows it. In one end-to-end run, the agent turned repository secrets into a 311-integer constant that decoded back to the full secret file. The result exposes a structural blind spot in pull-request automation where review tooling, not the model alone, determines whether exfiltration succeeds.
Related Happenings
Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex
Technical Analysis
H score28
First: 10.07.2026 16:45
Last: 10.07.2026 16:45
Sources 1
About this happening:
Researchers demonstrated a **proof-of-concept exploit** that can force **remote code execution** in **Anthropic’s Claude Code** and **OpenAI’s Codex**, exposing a trust-boundary f...
Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex
Technical AnalysisAbout this happening: Researchers demonstrated a **proof-of-concept exploit** that can force **remote code execution** in **Anthropic’s Claude Code** and **OpenAI’s Codex**, exposing a trust-boundary f...
Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code
Technical Analysis
H score28
First: 09.07.2026 08:15
Last: 09.07.2026 08:15
Sources 1
About this happening:
**Friendly Fire** shows that autonomous code-review modes in **Claude Code** and **OpenAI Codex** can be manipulated into **executing attacker-controlled code** on the host. The p...
Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code
Technical AnalysisAbout this happening: **Friendly Fire** shows that autonomous code-review modes in **Claude Code** and **OpenAI Codex** can be manipulated into **executing attacker-controlled code** on the host. The p...
AI coding assistants GhostApproval symlink security flaw
Vulnerability
H score22
First: 09.07.2026 07:27
Last: 09.07.2026 07:27
Sources 1
About this happening:
A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
AI coding assistants GhostApproval symlink security flaw
VulnerabilityAbout this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
H score3
First: 08.07.2026 18:07
Last: 08.07.2026 18:07
Sources 1
About this happening:
Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical AnalysisAbout this happening: Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical Analysis
H score22
First: 08.07.2026 14:21
Last: 08.07.2026 14:21
Sources 1
About this happening:
Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical AnalysisAbout this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Timeline
-
11.07.2026 12:03 2 articles · 1h ago
Ghostcommit discloses PNG-based prompt injection against AI code review
Initial DisclosureResearchers from the ASSET Research Group disclosed Ghostcommit, a proof-of-concept that hides prompt-injection instructions inside a PNG referenced by AGENTS.md so text-only AI code reviewers miss the payload. In testing, a coding agent later opened the repository's .env file and turned its contents into a commit-time numeric constant, including one run where Cursor driving Claude Sonnet emitted 311 integers that decoded back to the full secret file. The group also built a multimodal pull-request defender as a GitHub app to inspect conventions and images, and it blocked nearly all attacks in a live trial while avoiding false positives on legitimate pull requests.
Show sources
- 'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets — www.bleepingcomputer.com — 11.07.2026 12:03
- 'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets — www.bleepingcomputer.com — 11.07.2026 12:03