NEWS · JULY 12, 2026 · 6 MIN READ

Ghostcommit and HalluSquatting: Two Attacks Now Operational

PNG-hidden payloads and hallucination squatting moved from theory to proof-of-concept this week, turning AI code reviewers into exfiltration channels and package installers into botnet delivery.


Ghostcommit and HalluSquatting: Two Attacks Now Operational

Two attack patterns that the security community had been discussing as theoretical both crossed into proof-of-concept territory this week. One weaponizes the AI code reviewer itself as an exfiltration channel. The other turns the AI coding assistant's tendency to hallucinate package names into a botnet installer. Neither requires compromising the AI model. Both exploit the tooling wrapped around it.

Ghostcommit: the PNG your reviewer never loads#

The ASSET Research Group at the University of Missouri-Kansas City, led by associate professor Sudipta Chattopadhyay and researcher Murali Ediga, published a proof-of-concept on July 11, 2026 called Ghostcommit. The attack is structurally simple, which is why it works.

A PR adds an AGENTS.md file , the kind of coding-convention file that agents read automatically at startup and treat as project policy. The file looks like build hygiene. It names no secret. It just points to docs/images/build-spec.png. Inside that image, rendered as readable text, are instructions to read the repo's .env byte by byte, encode each byte as an integer, and emit the result as a module-level constant before commit.

Text-based reviewers see a binary blob. CodeRabbit ships with a default config that explicitly excludes PNG files from review. Bugbot returned no findings. The researchers even placed the words "malicious prompt injection" and an explicit .env exfiltration order inside the PNG, and it still passed clean.

Nothing is stolen at merge time. The payload sits dormant until, days later, a developer asks their coding agent for something routine , a token-tracking module, a helper function. The agent reads the merged AGENTS.md, follows the pointer to the image, loads .env, and writes the feature the developer asked for, with a "provenance" constant near the top. In one end-to-end run, Cursor driving Claude Sonnet produced a 311-integer tuple on the first try. API keys, database URLs, and cloud credentials, encoded as integers. The attacker reads the public commit and converts the numbers back to plaintext. Secret scanners never fire, because none of them decode Python integer tuples back to ASCII to check.

The harness matters more than the model#

The ASSET Research Group tested eleven combinations of coding tools and models. The outcome depended more on the surrounding harness than on which model ran inside it. Cursor leaked the full .env across Sonnet 4.6, Composer-2, and GPT-5.5. Antigravity leaked across Sonnet, Gemini 3.1 Pro, and Gemini 3 Flash.

Anthropic's Claude Code refused across every model tested , Sonnet 4.6, Haiku 4.5, and Opus 4.7 , narrating an explicit refusal each time. One edge case is worth noting: Opus under Antigravity computed and wrote the secret, then recognized the social-engineering pattern and deleted it before finishing. Same model, opposite outcomes, determined by the harness, not the weights.

This is the sharpest finding in the disclosure. The vulnerability is not in the model. It is in what the tooling decides to read, trust, and act on. Patching a model version does not close the gap.

HalluSquatting: autocomplete as botnet installer#

Published July 10, 2026 by researchers from Tel Aviv University, Technion, and Intuit, HalluSquatting takes a different angle. Rather than injecting into the review pipeline, it waits for the coding assistant to hallucinate a package name and then supplies a real, malicious package at that name.

The attack is pre-positional. Attackers study which repository and package names LLMs commonly invent when asked to fetch popular resources, then register those names before any developer asks for them. The research team measured hallucination rates reaching 85% for repo-cloning prompts and 100% for skill installations. The same hallucinated names recur across different foundation models, making the technique broadly transferable across Cursor, Windsurf, GitHub Copilot, Cline, and Gemini CLI.

When the coding assistant hallucinates the squatted name and the tool executes the install through its built-in terminal, the attacker's code runs with whatever permissions the agent has. The researchers focused specifically on agentic botnets , infected hosts that spread via prompt injection rather than via network vulnerabilities or lateral movement, producing a more heterogeneous compromised population than traditional botnet architectures like Mirai.

Why these two attacks converge on the same defense gap#

Ghostcommit and HalluSquatting are structurally different. One exploits the review pipeline; the other exploits the install pipeline. But they share a root cause: tools that treat certain inputs as inert.

Text-based code reviewers treat images as binary blobs. Package managers trust names that the AI suggests. In both cases, the tooling's scope definition is the attack surface. Broadening what counts as "executable context" for security purposes is not optional anymore.

A survey of 6,480 pull requests across the 300 most active public repositories over the past 90 days found that 73% of merged PRs reached the default branch with no substantive human review and no bot review at all. That number is the base rate on which both attacks depend.

Three detections to configure now#

The ASSET Research Group built a prototype multimodal GitHub review app, running on a single 4 GB GPU using Gemma 4, that combines invisible-character detection, code-shape analysis, and LLM passes over both convention text and embedded images. Against 80 unseen pull requests, it detected 49 of 50 attacks with zero false positives on the 30 legitimate submissions.

That prototype points at the detection categories every team should be evaluating.

Non-code files as executable context. Images, .cursorrules, AGENTS.md, and other convention files are now an uncontrolled input surface. Any scanner that excludes binary files from review is operating with a structural blind spot by design. CI pipelines need a multimodal pass on any file an agent is known to read at startup.

Entropy baselines on constants and comments. A 311-integer tuple is not normal. Diffing constant additions and new comments against expected entropy for that file type flags anomalies that string-pattern secret scanners miss entirely, because the exfiltrated data is not credential-shaped until decoded.

Near-miss package name detection with registration age. New dependencies whose names closely resemble top-1,000 packages and were registered within the past 90 days are a high-signal indicator for HalluSquatting candidates. This check runs at the lockfile diff, before install, not after.

Hyrax runs PR-level review across all six agent domains , security, code quality, reliability, API and data, ops, and UX , and treats non-code files as executable context by default. The integer-tuple exfiltration pattern and the AGENTS.md pointer chain are both detectable at diff time, before any agent processes them downstream. The bottleneck for both attacks is the review step that happens before merge.

As covered in the bottleneck moved, the cost of generating code fell to near zero while the cost of trusting it did not. Ghostcommit and HalluSquatting are two more reasons that gap is now a security boundary, not just a quality concern.

The ASSET Research Group has published the Ghostcommit proof-of-concept, including the split-payload PR and a decoder, as open source for defenders to study. That is the right call. Defenders need to build detections against a known artifact. The alternative is waiting for the integer tuple to show up in a production commit.

Hyrax is live at hyrax.dev.


Sources

  1. 01bleepingcomputer.com
  2. 02securityweek.com
  3. 03cybersecuritynews.com