AI coding assistants like Claude are becoming every developer’s favorite coworker. They can review code, explain confusing functions, and even write entire features with a single prompt. But new research suggests that this growing trust could also become their biggest weakness.
A team of security researchers (professor Sudipta Chattopadhyay and researcher Murali Ediga) has demonstrated an unusual attack that doesn’t target the AI model directly. Instead, it targets what the AI doesn’t pay enough attention to during code reviews. Rather than hiding malicious instructions in lines of code, the researchers tucked them inside an image file. Since many AI review tools treat images as decorative assets rather than as something worth inspecting, the pull request can appear perfectly harmless and sail through the review.
The most dangerous file might be the one you’d never open
Imagine receiving a document with a company logo in the corner. You’d probably glance at it and move on. Now imagine that logo secretly contained instructions telling your AI assistant to open your password vault the next time you used it. That’s essentially the idea behind this proof of concept. The trick doesn’t execute immediately after the code is merged, either. It waits until a developer later asks an AI coding assistant to perform a completely unrelated task, such as creating a helper function or adding a new module. By then, the AI has already absorbed the hidden instructions and can unknowingly access sensitive project files before slipping confidential information into the code it generates.

What’s especially worrying is that the stolen data isn’t dumped into the source code in an obvious way. Instead, it’s disguised as ordinary-looking values that blend in with legitimate code, making them far less likely to trigger existing security tools or catch a developer’s eye during a quick review.
It’s not just about which AI you use
The researchers also found that the outcome wasn’t determined by which large language model was being used. In many cases, the same AI model behaved very differently depending on the coding assistant wrapped around it. Some tools blindly followed the hidden instructions, while others recognized something suspicious and refused to continue. That’s an important distinction because it suggests the problem isn’t limited to a particular chatbot. The real challenge lies in how AI-powered coding platforms decide what information to trust and which project files they’re allowed to access.

The good news is that the researchers don’t believe this is an impossible problem to solve. They argue that AI review tools need to become “multimodal” in the truest sense — treating images, documentation, configuration files, and other non-code assets with the same level of scrutiny as source code. If an AI can read a picture, it also needs to understand that the picture could be trying to manipulate it. For developers, this is another reminder that AI coding tools still need supervision. They can dramatically speed up software development, but they also open entirely new attack surfaces that didn’t exist before. The next security risk might not be hidden in thousands of lines of code — it could be sitting inside an image that nobody thought was worth opening.