ทันเอไอ

Global AI & tech news, in your language · every story source-checked

🌐Follow
← Back to news
AI Models & ResearchVerified

Researchers discover 'Ghostcommit,' a new technique to hide malicious commands in image files and deceive AI into stealing confidential data.

A security research team demonstrated 'Ghostcommit,' a technique that embeds malicious commands into PNG image files to evade detection and trick AI into writing code to successfully extract critical data from projects.

📅 12 Jul 2026, 04:11
Researchers discover 'Ghostcommit,' a new technique to hide malicious commands in image files and deceive AI into stealing confidential data.

ASSET Research Group, a security research team, has unveiled a new attack technique called 'Ghostcommit.' This method can hide malicious Prompt Injection commands (unauthorized instructions to guide AI) within seemingly harmless image files like PNGs to steal confidential data, such as API Keys or database passwords, from a developer's code repository.

Ghostcommit's method exploits a blind spot in popular AI code reviewers like CodeRabbit and Bugbot, which are typically not designed to open or analyze the content within image files, allowing hidden commands to easily escape detection. This technique operates by dividing the attack into two parts. The first part is a seemingly normal text file (in this case, AGENTS.md) which instructs the AI agent to 'fetch build constants' from a specified image file (docs/images/build-spec.png). The second part, which is the core of the attack, is the malicious command embedded as text within that very image file. This command tells the AI to read the content of the .env file (a file developers often use to store sensitive information) character by character, convert it into ASCII numerical codes, and then write it into the code.

In a real-world test, researchers demonstrated this with Cursor, an AI agent powered by the Claude Sonnet model. It was found that Cursor was successfully tricked into following the hidden commands in the image on the first attempt. It generated a list of 311 numbers, which were, in reality, all the project's confidential data, including API keys, database URLs, and cloud access credentials, encoded and blended into what appeared to be a normal code review.

This vulnerability arises because for text-centric code review systems, image files are merely uninterpretable Binary Blobs. Researchers point out that this is not an entirely new concept. Previously, researchers from Trail of Bits demonstrated a more sophisticated technique using images that, when downscaled by AI, would transform into Prompt Injection commands to deceive tools like Gemini CLI. Currently, the ASSET Research Group team is developing a Multimodal defense system (that understands multiple data types) to concurrently inspect images, text, and AI agent behavior to patch such vulnerabilities in the future.

Why it matters
This vulnerability highlights a significant blind spot in current AI-powered software development tools. It serves as a warning for developers using AI agents that even seemingly harmless image files could be a channel for malicious actors to steal critical project data.
#Prompt Injection#AI Security#Cybersecurity#ช่องโหว่ AI

Related news

โมเดล & วิจัย AI
Notion เปิดตัวแอปแยก 'Notion Agents' ผู้ช่วย AI ส่วนตัวบน iOS เลือกสลับใช้ได้ทั้ง GPT, Claude, Gemini
โมเดล & วิจัย AI
"ตัวตนที่ไม่ใช่มนุษย์" จาก AI Agent กลายเป็นช่องโหว่ใหม่ที่องค์กรต้องรับมือ
โมเดล & วิจัย AI
Microsoft เตือน: อัปเดต Windows รอบหน้าจะใหญ่ขึ้น เพราะใช้ AI ช่วยหาช่องโหว่
โมเดล & วิจัย AI
Google เริ่มระบุแล้ว โฆษณาชิ้นไหนสร้างด้วย AI ให้ผู้ใช้ตรวจสอบได้