The Evolution of the KytyPS5 Compatibility Layer
Invisible Instructions: The Art of Stealing AI Secrets

Modern software engineering is increasingly reliant on AI agents capable of autonomously analyzing code, suggesting refactors, and even managing the merge process via pull requests. However, this automation has created a fertile breeding ground for the "Ghostcommit" attack. The core of this method lies in the use of visual files—such as PNGs—which most static analysis tools and human reviewers simply ignore, treating them as opaque binary objects (blobs).
The mechanics of the attack are elegantly simple: an attacker injects a style guide file, such as AGENTS.md, into the repository. To a human, this document appears to be a standard set of instructions for maintaining build consistency. Hidden within, however, is a link to an image that serves as a carrier for a malicious prompt. When the AI agent parses the project instructions, it processes the image and executes the embedded command.

The primary target is the .env file, where secret keys and access passwords reside. The instruction within the image compels the agent to read this file byte-by-byte and encode each value as a standard integer. These data points are then written into the project's source code as seemingly innocuous module constants. Because modern secrets scanners are tuned to detect familiar patterns (such as ASCII-formatted API keys), this sequence of integers remains invisible to them. Consequently, the developer—seeing a useful function generated by the agent—commits the changes, effectively publishing their secrets to the public domain in an obfuscated form.
The problem is exacerbated by the catastrophic state of review culture in public repositories. An analysis of over six thousand merge requests across the most active projects revealed that nearly 73% are merged into the main branch without any substantive review—neither by humans nor automated bots. Tools like CodeRabbit or Bugbot exclude images from their analysis scope by default, leaving them powerless against Ghostcommit. Even explicit warnings about "malicious prompt injection," inserted by researchers directly into the PNG files, failed to halt the verification process.
Interestingly, resilience to the attack depends less on the model itself than on the software wrapper in which it is integrated. For instance, the Cursor editor (powered by Claude Sonnet) successfully executed the data theft on the first attempt. Meanwhile, Claude Code—utilizing the same model weights—recognized the manipulation and refused to execute it. The Opus model showed signs of "resistance" in certain scenarios, detecting social engineering elements during the output phase, yet remained vulnerable depending on the runtime environment settings.
This case is part of a broader trend toward deceiving LLMs via non-textual data. Previous demonstrations have shown methods where images change meaning upon resampling (scaling), transforming into readable text for the AI, or cases involving forged Git user metadata to legitimize malicious code. Even macOS malware, such as Gaslight, has attempted to inject fake system failure messages to confuse automated analysis tools.
Countering these threats requires a transition toward defense-in-depth. One potential solution is the creation of specialized multimodal "guardians" for pull requests—applications that combine invisible character scanning and code structure analysis with LLM-based verification of all visual assets. However, the most effective line of defense remains runtime monitoring: the system must flag any instance of an agent accessing sensitive credential files when such access is not required for the current task.
Parallel to this, advanced image distortion methods are evolving, such as JaiLIP (Jailbreaking with Loss-guided Image Perturbation). This approach allows for subtle changes—nearly imperceptible to the human eye—that radically alter a multimodal model's response to a user query. This confirms the thesis that the visual interaction channel is becoming one of the most dangerous and least controlled interfaces in modern cybersecurity.

