Ghostcommit Camouflages Prompt Injection in Images to Bypass AI Security & Data Theft
Researchers have developed a novel method to bypass AI-driven code review processes by embedding malicious instructions within image files, enabling unauthorized access to repository secrets.
Research Findings
The attack was developed by researchers from the University of Missouri-Kansas City’s ASSET Research Group, including associate professor Sudipta Chattopadhyay and researcher Murali Ediga, who shared their findings with BleepingComputer. The team published a proof-of-concept on GitHub and disclosed their research to relevant vendors.
Attack Mechanism
The attack mechanism relies on a deceptive file structure. A standard AGENTS.md file, which coding agents typically parse as part of project configuration, includes a reference to a PNG image located at docs/images/build-spec.png. This image contains encoded instructions that instruct AI systems to read and process a repository’s .env file.
Deceptive File Structure
The payload is embedded as a sequence of integers derived from the .env file’s byte stream, which is then stored as a module constant. During initial review, the image is treated as a binary file, bypassing traditional text-based analysis tools.
Exfiltration Process
The exfiltration occurs when an AI coding agent processes the AGENTS.md file during startup. For example, when a developer requests a token-tracking module, the agent reads the image reference, accesses the .env file, and generates a “provenance” constant containing the encoded secrets.
Implications and Mitigation
The ASSET Research Group developed a mitigation strategy called the “multimodal pull-request defender,” a GitHub app designed to analyze both code and image content. This tool combines scans for hidden characters, code structure analysis, and natural language processing of both text and image data.
Runtime Monitoring and Security
The study emphasizes the need for layered security approaches. While static analysis tools failed to detect the attack, runtime monitoring of AI agent behavior could identify anomalous actions such as unauthorized file access.
Conclusion
This research underscores the evolving nature of AI-driven threats and the necessity for adaptive defense mechanisms. As AI systems become more integrated into development workflows, securing their interactions with external data sources will require continuous innovation in both detection and prevention strategies.
