If your business uses AI tools to help write code, review software, or automate workflows, this week's tip is one you need to pay close attention to.

Hackers Are Now Hiding Attack Instructions Inside Images and AI Tools Are Falling For It

Researchers just published a proof-of-concept attack called Ghostcommit that demonstrates something genuinely alarming. Attackers can hide malicious instructions inside an ordinary image file, have AI tools read and act on those instructions without any human ever noticing, and walk away with your business's most sensitive passwords and access keys — all without triggering a single security alarm.

What Ghostcommit Actually Does

Here is the attack in plain terms.

An attacker submits a seemingly routine update to a software project. Buried inside that update is an image file — the kind of image that would normally be used for documentation or project notes. To any human reviewer, it looks like a picture. To most automated security tools, it is just a binary file not worth examining.

But hidden inside that image, in plain readable text, are instructions directed at AI coding assistants. Instructions like: open the environment file, read every password and access key stored inside it, and encode the contents into the code as an innocent-looking list of numbers.

Later, when a developer asks their AI coding tool to build something completely unrelated — a simple tracking module, for example — the AI reads the project files at startup, finds the image, follows the instructions inside it, and quietly writes all of the stolen credentials into the new code. The developer sees the feature they asked for and approves it. The credentials are now sitting in the public codebase, disguised as a harmless string of numbers. The attacker decodes them at their leisure.

Security scanners never flag it. Nobody asked the AI to steal anything. It simply followed the instructions it found.

Why This Went Undetected

Two of the most widely used AI code review tools, CodeRabbit and Bugbot, never examined the image file at all. CodeRabbit's default settings exclude image files from review entirely. Bugbot returned no findings. Researchers even placed the words "malicious prompt injection" and explicit theft instructions in plain text inside the image, and both tools passed it clean.

The technique slipped past AI code reviewers that never open image files at all, then convinced a coding agent to read the repository's environment file and write every secret into the code as a list of numbers.

The researchers also found that this problem is more widespread than most people realize. A survey of nearly 6,500 pull requests across the 300 most active public software repositories found that 73 percent of merged changes reached the codebase with no substantive human review and no automated review at all. The attack does not need to defeat a security system. In most cases, there is no security system to defeat.

The Bigger Picture

Ghostcommit is part of a growing pattern of attacks that exploit a fundamental blind spot in AI tools: they process and act on content they are shown without being able to distinguish between legitimate project instructions and malicious ones embedded by an attacker.

Earlier attacks have hidden instructions in downscaled images that look clean to the human eye but resolve into readable text when an AI processes them. Others have embedded fake system messages inside malware to confuse AI security analysis tools. Ghostcommit does not even bother hiding the instructions visually. The image contains the attack in plain text. It works simply because the AI reviewer never opens the file.

Why This Matters for Your Business

Your business may not be running a software development team, but this attack pattern has implications that reach well beyond coding environments.

Any business that uses AI tools to process documents, review files, summarize content, or automate workflows is operating in an environment where the AI can be manipulated by content it is shown. An AI assistant asked to summarize a document, process an attachment, or work through a project folder can be directed by hidden instructions embedded in any file it encounters along the way.

The researchers' own testing found that the outcome depended heavily not on which AI model was used, but on which tool or platform wrapped around that model. The same AI model refused the attack in one environment and carried it out successfully in another. That means the security posture of the tools your team uses matters enormously.

What Your Team Should Do Right Now

Any AI tool used in your business environment should have clearly defined boundaries around what files and systems it can access. An AI assistant should not have standing access to credential files, sensitive configuration data, or systems it does not need for its specific task.

Review the permissions and access levels granted to AI tools in your environment. If an AI coding assistant, document processor, or workflow automation tool has access to sensitive credentials or internal systems, ask whether that access is necessary and what controls are in place if the tool is manipulated.

Do not rely solely on automated AI review tools as a security checkpoint, especially for code or document changes that include image files or attachments. Human review remains a critical layer that automated tools cannot fully replace.

Treat AI tool outputs with the same scrutiny you would apply to any other software change. If an AI-generated result contains unexpected content, unfamiliar data structures, or anything that does not match what was requested, flag it before approving or deploying it.

Stay current on updates to any AI tools your team uses. Vendors are actively working to address these blind spots, and updates matter.

The Bottom Line

Ghostcommit is a clear demonstration that AI tools can be manipulated through content they are shown, and that the attack does not need to be sophisticated to succeed. It just needs to reach a file the AI will read and a security tool that will not look inside it. As AI tools become more deeply embedded in business workflows, the instructions those tools follow become a new attack surface — one that most businesses have not yet thought about.