Ghostcommit Attack: How a PNG Can Steal Your Code Secrets

·
Listen to this article~3 min
Ghostcommit Attack: How a PNG Can Steal Your Code Secrets

Researchers show how a PNG image with hidden prompt injection, called Ghostcommit, can trick AI code reviewers into stealing repo secrets from .env files.

Imagine this: you're a developer working on a project, and you push some code to your repo. An AI code reviewer, like CodeRabbit or Bugbot, checks it for bugs and vulnerabilities. But what if the reviewer itself is the weak link? That's exactly what researchers have shown with a new attack called 'Ghostcommit.' They hid a prompt injection inside a PNG image file. The AI reviewers never even looked at the image—they just passed it along to a coding agent. That agent then read the repo's .env file and spilled every secret as a list of numbers. Scary, right? ### How Ghostcommit Works The trick is simpler than you might think. Researchers embedded a malicious prompt inside a PNG's metadata. When a coding agent processed the image, it extracted the hidden instructions. Those instructions told the agent to read the .env file and output its contents as numbers. The AI reviewers, CodeRabbit and Bugbot, never opened the image—they just forwarded it. So the attack slipped right past them. ### Why This Matters for Developers This isn't just a theoretical threat. It's a real-world problem that could hit any team using AI tools to review code. If you're using AI agents to automate parts of your workflow, you need to know that images can carry hidden commands. The researchers showed that even simple PNG files can be weaponized. And since AI agents often trust inputs without question, this attack can be devastating. ### What You Can Do to Protect Yourself Here are a few steps to reduce the risk: - Never let AI agents open image files directly. Use sandboxing or manual review. - Strip metadata from images before processing. Tools like ExifTool can remove hidden data. - Monitor your AI agents for unusual behavior, like reading files they shouldn't. - Keep your .env files secure. Use environment variables instead of hardcoding secrets. ### The Bigger Picture This attack highlights a growing problem: AI agents are powerful, but they're also gullible. They follow instructions without questioning them. As we rely more on AI for code reviews, we need to build in safeguards. Think of it like this: you wouldn't let a stranger walk into your office and read your files. Don't let an AI agent do it either. ### Final Thoughts Ghostcommit is a wake-up call. It shows that security isn't just about your code—it's about the tools you use to review it. Stay vigilant, and always question what your AI agents are doing. After all, a PNG shouldn't be able to steal your secrets.