Researchers have built a pull request that steals a repository's secrets by hiding the malicious instruction inside a PNG that AI code reviewers never open.

The reviewer waves the change through. Later, a coding agent reads the picture, opens the repo's .env, and writes every key into the source as a harmless-looking list of numbers.

How 'Ghostcommit' works

The attack comes from the ASSET Research Group's Sudipta Chattopadhyay, an associate professor at the University of Missouri-Kansas City, who shared the research with BleepingComputer.

The group published a proof-of-concept on GitHub this week and says it has disclosed the findings to the affected vendors.