A New Kind of Attack Targets What AI Code Reviewers Ignore

AI coding assistants have become a standard part of many developers' workflows, reviewing code, explaining confusing functions, and writing entire features from a single prompt. That growing trust is exactly what a newly demonstrated security exploit takes advantage of. Instead of hiding malicious instructions inside lines of code, security researchers built a proof-of-concept attack that tucks those instructions inside an image file.

The work comes from professor Sudipta Chattopadhyay and researcher Murali Ediga, who found that many AI review tools treat images as decorative assets rather than something worth scrutinizing. Because of that blind spot, a pull request carrying a booby-trapped image can look completely harmless and pass review without raising any flags.

Why an Ordinary-Looking Image Is the Ideal Hiding Place

The concept is easiest to picture with a simple example: a company logo sitting quietly in the corner of a document. Most people would glance at it and move on without a second thought. Now imagine that same logo secretly contained instructions telling an AI assistant to open a password vault the next time it was used. That is essentially the mechanism behind this proof of concept — a file type nobody thinks to inspect becomes the delivery method for hidden commands.

The Exploit Waits Before It Strikes

Unlike an attack that fires the moment tainted code is merged, this one is patient. The hidden instructions don't execute right away. Instead, they sit dormant until a developer later asks an AI coding assistant to handle a completely unrelated task, such as writing a helper function or adding a new module. By that point, the assistant has already absorbed the buried instructions from the image and can unknowingly reach into sensitive project files, later slipping confidential information into the code it generates.

How the Stolen Data Avoids Detection

What makes this especially concerning is how the extracted data is packaged. Rather than dumping stolen information into the source code in an obvious way, the attack disguises it as ordinary-looking values that blend in with legitimate code. That disguise makes the leaked data far less likely to trip existing security tools or catch a developer's attention during a routine review.

The AI Model Isn't What Decides the Outcome

One of the more notable findings is that success or failure of the attack wasn't determined by which large language model was doing the work. The same underlying model behaved very differently depending on which coding assistant it was wrapped in. Some tools blindly followed the hidden instructions embedded in the image, while others recognized something was off and refused to continue.

Trust and File Access Are the Real Vulnerability

That inconsistency points to something bigger than any single chatbot. The real issue is how AI-powered coding platforms decide what information to trust and which project files they are allowed to touch. A model can be perfectly capable of catching a manipulation attempt, yet still get overridden by the permissions and assumptions built into the assistant surrounding it.

Researchers Say the Fix Is Treating Every File Type With Equal Suspicion

The researchers don't see this as an unsolvable problem. Their argument is that AI review tools need to become genuinely multimodal — treating images, documentation, configuration files, and other non-code assets with the same level of scrutiny given to source code. If an AI system is capable of reading a picture, it also needs to be built to recognize that the picture could be trying to manipulate it.

What This Means for Developers Using AI Coding Tools

For developers leaning on AI assistants to speed up their work, the takeaway is a reminder that supervision still matters. These tools can dramatically accelerate software development, but they also introduce attack surfaces that simply didn't exist before. The next security risk in a codebase might not be buried in thousands of lines of code at all — it could be sitting quietly inside an image that nobody thought was worth opening.