Hidden image text can make AI coding tools leak repo secrets
Ghostcommit is an attack that hides instructions inside PNG images attached to . tools may treat those images as ordinary files and miss the readable text inside them. After the is merged, a developer’s may process the image, read the hidden instructions, and follow them.
The attack can make the agent place repository secrets, such as API keys, into the codebase as plain-looking lists of numbers. Tests by the University of Missouri-Kansas City’s ASSET Research Group found that Cursor and Antigravity carried out the theft, while Claude Code refused. The researchers told vendors about the issue and released a .
They also said 73% of recent in major repositories did not get meaningful review from a person or a bot.
Key points
- Ghostcommit hides malicious instructions inside PNG images in .
- tools may miss the text because they handle images differently from normal code.
- Cursor and Antigravity followed the theft instructions in tests, while Claude Code refused.
- The attack tries to hide repository secrets in code as innocent-looking number lists.
- Limit agent access to secrets and manually inspect image files before merging outside changes.