www.malwarebytes.com 7/13/2026, 1:47:52 PM · external

Ghostcommit attack hides malicious code in images to trick AI coders

Ghostcommit attack hides malicious code in images to trick AI coders
CyberSIXT Evidence Panel
Primary Source github.com

THE Ghostcommit attack demonstrates how AI coding assistants can be exploited by embedding malicious instructions in image files. Researchers from the ASSET Research Group revealed that attackers can hide commands within a PNG file referenced in a software project’s policy files, prompting AI tools to execute these instructions surreptitiously. This poses a challenge for both human reviewers and automated scanners, as the malicious instructions can be overlooked in routine code reviews.

The nature of the AI tool's configuration significantly impacts the risk of secret leakage, emphasizing the need for stricter security measures, such as restricting access to sensitive information and inspecting non-text attachments.

View Primary Source Via www.malwarebytes.com

Article by CyberSIXT