Fetching from the wire…
Security2026-07-13 · source-backed
Researchers at University of Missouri-Kansas City disclosed Ghostcommit on July 11: malicious instructions embedded inside image files that AI coding agents read and execute during pull-request work (SecNews). It exploits a structural blind spot. Neither human nor AI reviewers open image files during PR review, but coding agents parse them later and follow embedded commands. If you run agents on untrusted PRs, images are now an unguarded injection channel next to markdown and code. Treat every file type an agent can read as attacker-controlled, including the ones humans skim past.
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage / Tension
Both cover July, PRs; overlapping topics (code, coding); earlier July coverage from 2026-04-28.
Shared entities / Shared topic / Earlier coverage
Both cover PRs, Treat; overlapping topics (agent, code, coding); earlier PRs coverage from 2026-05-24.
Both cover PRs, Researchers; overlapping topics (code, coding); earlier PRs coverage from 2026-04-21.
Shared entity: Researchers / Shared topic / Earlier coverage / Tension
Both cover Researchers; overlapping topics (agent, code, coding); earlier Researchers coverage from 2026-04-22.
Shared entity: PRs / Shared topic / Earlier coverage / Tension
Both cover PRs; overlapping topics (agent, code, command); earlier PRs coverage from 2026-03-20.
Shared entity: Treat / Shared topic / Earlier coverage
Both cover Treat; overlapping topics (agent, attacker-controlled, command, disclosed); earlier Treat coverage from 2026-06-05.
Shared entity: Researchers / Shared topic / Earlier coverage
Both cover Researchers; overlapping topics (agent, command, embedded, execute); earlier Researchers coverage from 2026-05-25.
Shared entity: PRs / Shared topic / Earlier coverage
Both cover PRs; overlapping topics (agent, channel, code, coding); earlier PRs coverage from 2026-05-13.