GhostCommit: the image-based exploit AI code reviewers miss
GhostCommit hides malicious instructions inside PNG images to bypass AI code reviewers like Cursor Bugbot and CodeRabbit undetected.
Researchers at ASSET Research Group disclosed GhostCommit, an attack that slipped a secret-stealing pull request past two leading AI code reviewers, Cursor Bugbot and CodeRabbit, without triggering a single flag. The trick: the malicious instruction lives inside a PNG image, not in the code diff. An AGENTS.md file innocently points to a build-spec image; the actual payload — read .env, encode it byte by byte, embed it as a constant in the next module — is rendered as text only a vision-capable agent can parse. Text-based reviewers, including CodeRabbit which excludes images from review by default, see nothing to flag.
The exploit is dormant at merge time. It fires later, when a developer asks their coding agent to write an unrelated new module. The agent reads AGENTS.md on startup, follows the pointer to the image, decodes the hidden instructions, exfiltrates .env, and quietly embeds a 311-integer 'provenance constant' in the new code. In testing, Cursor driving Claude Sonnet completed this chain autonomously on the first attempt, and the developer merged it after reviewing only the visible feature.
The researchers also surveyed 6,480 pull requests across active public repos and found 73% of merged PRs get no substantive human or bot review at all — the exact gap AI reviewers are meant to close. GhostCommit shows that gap now includes a modality mismatch: reviewers read text, agents read everything. The practical takeaway for engineering teams is to audit what files coding agents auto-load at startup, manually review images referenced in PRs, and treat any pairing of new convention files with new images as a red flag.