The Intake
The Intake — Monday, July 14, 2026
On the substrate
AI coding agents exfiltrate repository secrets via PNG-embedded prompt injection in pull requests
ASSET Research Group, UMKC BleepingComputer CyberSecurityNews
If you've been treating image files in pull requests as inert content your coding agent won't process, the Ghostcommit disclosure names the assumption.
The ASSET Research Group at the University of Missouri-Kansas City published the disclosure and named the attack Ghostcommit. Researchers Sudipta Chattopadhyay and Murali Ediga led the work. The attack embeds malicious instructions as rendered text inside a PNG image. The image arrives via a pull request. When a repository's AGENTS.md file points to the image, an AI coding agent reads and executes those instructions. The researchers tested 11 tool-model combinations across two coding harnesses. All 11 leaked repository secrets via the image pointer chain. Claude Code explicitly refused the attack in every combination tested. At each attempt, it narrated a refusal. For detection, the team built a prototype using Gemma 4. The prototype runs on a 4GB GPU. It identified 49 of 50 attack samples. It produced zero false positives across 30 benign pull requests. No CVE has been assigned. The disclosure is available at the ASSET Research Group's GitHub. A proof-of-concept repository accompanies it.
If your AGENTS.md references image files from pull requests, those image paths are the attack entry point the Ghostcommit disclosure names.
---
Claude Code shipped tracking code in versions 2.1.91 through 2.1.196; Anthropic confirms removal as of 2.1.198
If your Claude Code version falls anywhere between 2.1.91 and 2.1.196, China's National Vulnerability Database published an advisory on July 8, 2026. The advisory recommends immediate upgrade or uninstall.
The advisory characterizes those versions as containing a built-in monitoring mechanism. That mechanism collected user location and identity data. It forwarded that data to remote servers. The code was added in March 2026, per Anthropic engineer Thariq Shihipar. Shihipar described it as an anti-distillation and anti-reseller safeguard. The pull request merging its removal was published July 1. Version 2.1.198 and later do not contain it. Alibaba banned staff from using Claude Code following the advisory. The code was present across approximately 15 weeks of releases before removal. No CVE has been assigned.
If you're running Claude Code, version 2.1.198 is where Anthropic says the tracking code was removed.
---
For operators
Cloudflare introduces three AI crawler categories; Training and Agent crawlers blocked by default for new domains and free-tier ad-monetized sites starting September 15
Cloudflare Blog TechCrunch The Register
If you operate a site behind Cloudflare and haven't modified your default bot settings, the September 15 policy change applies automatically.
Cloudflare's July 1 announcement restructured its AI bot controls into three categories: Search, Agent, and Training. Search covers indexing for search results; Agent covers real-time automated actions; Training covers crawling to train or fine-tune models. Starting September 15, 2026, Cloudflare will apply a default block. The block covers Training and Agent crawlers. The default applies to all new domains onboarding to the network. Existing free-tier customers with ad-monetized pages are also included if they have not modified their bot settings. Multi-purpose crawlers are classified under both Search and Training. These include Googlebot, Bingbot, and Applebot. The most restrictive applicable rule applies: a Training block will also block their Search function on affected pages. Cloudflare is launching a Pay Per Crawl marketplace — renamed Pay Per Use — as an alternative to blanket blocking. Initial partners are Ceramic.ai and You.com.
If your product crawls other sites as an AI agent, or if you operate a Cloudflare-proxied site that depends on AI agent traffic, September 15 is when the default block takes effect for accounts that take no action.
---