Ghostcommit: Multimodal Prompt Injection Attack Exposes AI Code Review Tools to Supply Chain Risks

Ghostcommit: Multimodal Prompt Injection Attack Exposes AI Code Review Tools to Supply Chain Risks

Executive Summary

Publication Date: June 2026

The emergence of Ghostcommit marks a significant evolution in the landscape of software supply chain attacks. By embedding prompt injection attacks within image files, Ghostcommit exploits the blind spots of current AI-powered code review tools, enabling attackers to exfiltrate secrets and manipulate repositories without detection. This report provides a comprehensive analysis of the technical mechanisms, security implications, and industry challenges associated with Ghostcommit, and offers a cyber perspective on how organizations can defend against this new class of threats.

Introduction

The rapid adoption of AI agents and automated code review tools has transformed software development workflows, but it has also introduced new security risks. Ghostcommit is a novel attack technique that leverages prompt injection hidden within image files, such as PNGs, to bypass both human and AI code reviewers. This method exposes critical vulnerabilities in the software supply chain, particularly in environments that rely heavily on AI-driven automation.

Technical Analysis of Ghostcommit

Ghostcommit operates by embedding malicious instructions as visible text within an image file. These instructions are ignored by most AI code reviewers, which typically exclude binary files like images from their analysis. When a developer or an AI coding agent later processes the image, the hidden prompt is executed, leading to the exfiltration of sensitive data such as repository secrets.

The core innovation of Ghostcommit lies in its use of multimodal prompt injection. Unlike traditional prompt injection attacks that rely on textual input, Ghostcommit embeds instructions in images, exploiting a fundamental gap in current AI code review pipelines. Even when the malicious prompt is plainly visible within the image, review tools do not process image content, allowing the attack to proceed undetected.

Researchers have demonstrated that a pull request containing a PNG with embedded instructions can steal a repository's secrets. The AI reviewer, which does not analyze images, approves the change. Later, a coding agent reads the image, opens the repository's .env file, and writes every key into the source as a harmless-looking list of numbers. This process effectively exfiltrates sensitive information without raising alarms.

Security Implications and Risks

The Ghostcommit technique exposes a critical vulnerability in the software supply chain, especially in organizations that rely on AI agents for code review and automation. The potential risks include exfiltration of secrets and credentials, unauthorized code execution, manipulation of repository content, and the bypassing of both human and automated review processes.

Prompt injection vulnerabilities arise from the way AI models process prompts and how input can force the model to incorrectly pass prompt data to other parts of the system. This can lead to violations of guidelines, generation of harmful content, unauthorized access, or influence over critical decisions. The rise of multimodal AI, which processes multiple data types simultaneously, introduces unique prompt injection risks. Malicious actors can exploit interactions between modalities, such as hiding instructions in images that accompany benign text.

Supply Chain and Third-Party Dependencies

Ghostcommit highlights the risks associated with third-party AI tools and dependencies in the software supply chain. Many organizations use AI agents and code review bots, such as CodeRabbit and Bugbot, that may not be equipped to detect multimodal prompt injections. This creates a significant attack surface, particularly in open-source and collaborative environments.

A recent survey of thousands of pull requests across major public repositories found that a majority of merged pull requests reached the default branch with no substantive human review and no bot review at all. Tools like CodeRabbit often exclude image files from review by default, and others like Bugbot may return no findings, leaving organizations vulnerable to attacks like Ghostcommit.

Security Controls and Compliance Requirements

Mitigating Ghostcommit and similar attacks requires a defense-in-depth approach. Organizations should implement multimodal analysis in code review tools, ensuring that both text and images are scanned for malicious content. Runtime monitoring of agent behavior is essential, as is the inclusion of human-in-the-loop controls for high-risk actions. Segregation and identification of untrusted content, along with regular adversarial testing and attack simulations, are critical components of a robust security posture.

Researchers have demonstrated the effectiveness of a multimodal pull-request defender, deployed as a GitHub app, that combines scans for invisible characters, analysis of code structure, and large language model (LLM) passes over both text and images. Such solutions close the structural blind spot exploited by Ghostcommit.

Compliance requirements for generative AI systems increasingly emphasize the need to constrain model behavior, define and validate expected output formats, implement input and output filtering, enforce privilege control and least privilege access, require human approval for high-risk actions, and segregate and identify external content.

Industry Adoption and Integration Challenges

The rapid adoption of AI agents in software development has outpaced the implementation of robust security controls. Many organizations are unaware of the risks posed by multimodal prompt injection and lack the tools to detect or mitigate such attacks. Integration challenges include updating existing code review pipelines to support multimodal analysis, ensuring compatibility with third-party and open-source tools, and training security teams to recognize and respond to new attack vectors.

Vendors of AI code review tools and agentic platforms must prioritize security by implementing multimodal scanning capabilities, providing transparency about their security controls and update practices, and supporting integration with runtime monitoring and incident response systems. Defense in depth, rather than a single fix, is essential to address the evolving threat landscape.

Technical Specifications and Requirements

Effective defense against Ghostcommit requires multimodal AI agents capable of processing both text and images, code review tools with support for image analysis and prompt detection, runtime monitoring for agent actions involving sensitive files, and integration with SIEM and EDR solutions for detection and response.

Cyber Perspective

From a security expert’s perspective, Ghostcommit represents a paradigm shift in AI supply chain attacks. Attackers can now exploit the blind spots of AI-powered automation by embedding malicious prompts in non-textual data, such as images. This technique is particularly dangerous because it bypasses both human and automated reviews, allowing for stealthy exfiltration of secrets and manipulation of codebases.

For defenders, traditional security controls—such as static code analysis and secret scanning—are no longer sufficient. Organizations must adopt multimodal analysis, runtime monitoring, and adversarial testing to detect and prevent such attacks. The market will likely see increased demand for advanced AI security solutions, as well as greater scrutiny of third-party dependencies and supply chain practices.

For attackers, Ghostcommit opens new avenues for supply chain compromise, data exfiltration, and privilege escalation. The technique is likely to evolve, with attackers experimenting with other file formats and modalities to evade detection.

Authoritative Sources Quoted

BleepingComputer: "'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets" https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/

Trail of Bits: "Prompt injection to RCE in AI agents" https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/

OWASP GenAI Security Project: "LLM01:2025 Prompt Injection" https://genai.owasp.org/llmrisk/llm01-prompt-injection/

About Rescana

Rescana’s Third-Party Risk Management (TPRM) solutions are designed to help organizations identify, assess, and mitigate risks in their software supply chain. Our platform provides comprehensive visibility into third-party dependencies, vendor security practices, and integration requirements. With Rescana, organizations can continuously monitor their supply chain for emerging threats and vulnerabilities, assess the security posture of vendors and third-party tools, automate compliance checks and risk assessments, and receive actionable insights to strengthen their security controls.

We are happy to answer any questions at info@rescana.com.