
GhostCommit Attack Hides Prompt Injection in PNG to Steal Developer Secrets
A new supply chain attack can trick AI coding agents into stealing developer secrets without triggering a single review tool. Researchers at ASSET Research Group have disclosed the technique, dubbed GhostCommit, which smuggles prompt-injection instructions inside PNG images to make coding agents exfiltrate .env secrets, bypassing both human and LLM-based pull request review entirely. The […]
The post GhostCommit Attack Hides Prompt Injection in PNG to Steal Developer Secrets appeared first on Cyber Security News.