A new attack technique called GhostCommit just made AI-assisted code review look like a liability. Researchers from ASSET Research Group built a pull request that silently steals a repository's secrets — and walked it straight past two of the leading AI reviewers without a single flag.

The trick: the malicious instruction isn't in the code. It's in an image.

What actually happened

The researchers first tried the obvious version. A new AGENTS.md file (the kind coding agents read automatically as project policy) containing plain text instructions to read .env and encode every byte as ASCII codepoints. Both Cursor Bugbot and CodeRabbit caught it immediately — HIGH severity, flagged before merge. Text-based reviewers can read text.

So they moved the payload into a PNG.