Skip to main content
AI Code Reviewers Missed This Attack 79 TimesIncident
4 min readFor Security Engineers

AI Code Reviewers Missed This Attack 79 Times

A research team at the University of Missouri-Kansas City has published proof-of-concept code for an attack that bypasses AI code review tools by hiding malicious instructions inside PNG files attached to pull requests. They call it "Ghostcommit," and it works because most AI reviewers don't analyze images.

Here's what happened, what failed, and what you need to change in your workflow.

What Happened

The ASSET Research Group embedded prompt injection instructions into image files and attached them to pull requests. When developers used AI assistants to review or apply the code changes, the AI tools read the hidden instructions from the images and executed them, extracting secrets, modifying code, or exfiltrating repository contents.

The attack worked against multiple AI code review platforms. CodeRabbit, for example, explicitly excludes image files from its review scope. Other tools processed the images but didn't flag the embedded instructions as malicious. Claude Code refused to process the malicious image, showing that detection is possible but not universal.

The researchers published their proof-of-concept on GitHub, making the technique immediately available to anyone who wants to replicate it.

Timeline

The research team ran a live trial against 80 pull requests containing image-based attacks. Only one attack was caught, by a custom multimodal pull-request defender they built specifically to detect this threat vector. The other 79 went undetected by standard AI review tools.

This isn't a theoretical gap. Separate research shows that 73% of merged pull requests reach the default branch with no substantive human review and no bot review. Your AI reviewer might be the only thing standing between a malicious commit and your production environment. If it can't read images, you have a blind spot.

Which Controls Failed

Automated code review tools failed to inspect non-code artifacts. Most AI reviewers scan text files for suspicious patterns but skip binary files, images, and other attachments. This creates an obvious bypass: hide your payload where the scanner doesn't look.

Input validation on AI prompts was missing or ineffective. The AI tools that did process images didn't treat them as untrusted input. They ingested embedded instructions without validating whether those instructions were legitimate review requests or malicious commands.

Defense in depth wasn't implemented. Organizations relying solely on AI code review had no secondary control to catch what the AI missed. No OCR scan of images. No human spot-check of high-risk PRs. No runtime monitoring to detect unusual behavior after merge.

Least privilege principles weren't enforced for AI agents. The AI reviewers had enough access to read secrets, modify code, and potentially exfiltrate data. If your bot can do everything a senior engineer can do, it's an attractive target.

What the Standards Require

PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be reviewed prior to release to identify and correct coding vulnerabilities. If your AI reviewer can't detect image-based prompt injection, you're not meeting this requirement. The standard doesn't care whether your review process is human or automated, it has to work.

OWASP ASVS v4.0.3, Section 5.2.1 requires that all untrusted input be validated. Images attached to pull requests are untrusted input. If your AI assistant processes them without validation, you're violating this control.

NIST 800-53 Rev 5, Control SI-10 (Information Input Validation) requires organizations to check the validity of information inputs. Embedded instructions in image files count as information inputs. Your validation logic needs to cover them.

ISO/IEC 27001:2022, Annex A.8.8 (Management of Technical Vulnerabilities) requires timely information about technical vulnerabilities and evaluation of exposure. Ghostcommit is now a known vulnerability in AI-assisted code review. You need to assess your exposure and implement mitigations.

Lessons and Action Items

Stop treating images as passive artifacts. Any file attached to a pull request can carry malicious content. Run OCR on images. Hash-check binaries. Scan PDFs for embedded scripts. If it enters your repository, inspect it.

Validate AI tool configurations. Check whether your code review tools exclude certain file types from analysis. If they do, you need a compensating control. Either configure the tool to inspect all file types or add a secondary scan that catches what the primary tool misses.

Implement multimodal threat detection. The researchers' custom defender caught 79 out of 80 attacks by analyzing both code and non-code elements of pull requests. You don't need to build this from scratch, combine your existing AI reviewer with an image analysis tool that flags suspicious text in attachments.

Apply least privilege to AI agents. Your code review bot doesn't need write access to secrets. It doesn't need permission to modify merged code. Scope its access to read-only review functions. If it gets compromised, limit what an attacker can do with it.

Require human review for high-risk changes. Define "high-risk" based on file paths (anything touching auth, secrets management, payment processing), PR metadata (external contributors, first-time authors), or content flags (binary files, images, compressed archives). Route these PRs to a human reviewer even if the AI approves them.

Monitor post-merge behavior. Set up runtime detection for unusual repository access patterns. If a recently merged PR triggers secret reads, code modifications, or data exfiltration shortly after merge, flag it for investigation. This won't prevent the attack, but it'll limit the damage window.

Test your defenses. The Ghostcommit proof-of-concept is public. Run it against your own workflow in a sandboxed environment. See whether your tools catch it. If they don't, you know exactly what to fix.

The gap isn't that AI code reviewers are bad at their jobs. It's that they're good at reviewing code and nothing else. If you're using them as your only gate, you're assuming attackers will only hide malicious logic in code files. They won't.

CVE database

Topics:Incident

You Might Also Like