While the tech industry packages multimodality into glossy presentations, researchers from the ASSET Research Group have demonstrated that a simple image in a pull request can act as a fatal Trojan horse. The mechanics of the 'Ghostcommit' attack are as elegant as they are destructive. Malicious instructions are embedded into the metadata or the visual layer of a PNG file referenced by a service configuration (such as AGENTS.md). An AI agent trained to automatically parse code obediently reads the image as a direct command and leaks API keys, bypassing all text-based filters.

In practice, this looks like security surrendering to convenience. Autonomous reviewers like CodeRabbit and Bugbot proved entirely unprepared for visual injections. In testing, CodeRabbit ignored the trap, while Bugbot failed to notice a command to read a .env file even when researchers wrote it in plain text over the image. To these systems, a command inside a PNG carries the same weight as a system prompt. Using a combination of Cursor and Claude Sonnet, the attack succeeded on the first attempt: the agent converted the .env contents into an innocent-looking list of 311 numbers and integrated them into the code as a mathematical constant. Secret scanners remained silent—they simply aren't trained to look for passwords disguised as data arrays.

The Anatomy of a Delayed Heist

The Ghostcommit mechanic relies on a 'sleeper' mode: the agent doesn't execute the code instantly, but rather within the context of future routine tasks. As soon as a developer asks the AI to build a module, it pulls the instructions embedded in the repository and completes the theft. The situation is exacerbated by the fact that 73% of pull requests in the 300 most active public repositories are accepted without a human review. This makes agents the weakest link in the corporate security perimeter. While top-tier models like Claude Opus occasionally recognized social engineering in experiments, the general architectural vulnerability remains critical.

"AI agents today are like diligent employees with access to the safe, ready to follow any order as long as it's written on a pretty postcard."

Researchers conducted 10 attacks on each model pairing, confirming consistent results: without logic isolation from external content, agents submissively hand over access to cloud infrastructure and databases. For businesses, this means that integrating autonomous assistants into CI/CD pipelines without strict permission mapping isn't innovation—it's an open door for industrial espionage. As long as multimodal models treat pixels as absolute truth, handing them the keys to the repository is premature.

AI AgentsCybersecurityComputer VisionAI SafetyAnthropic