Google Antigravity’s increasing popularity has brought the development platform into the crosshairs of both security researchers and cybercriminals.
Google Antigravity is an ‘agent-first’ development platform that evolves the traditional code editor into a mission control for autonomous AI agents. Powered by Gemini, the IDE enables developers to delegate complex, multi-step engineering tasks to independent AI workers that can plan, execute, and verify code.
Antigravity vulnerability
Researchers at Pillar Security discovered that Antigravity is affected by a vulnerability that can allow an attacker to escape the sandbox and remotely execute arbitrary code.
The flaw, which Google patched in late February, is caused by insufficient input sanitization in a parameter, enabling an attacker to inject commands that would get executed via a file search operation.
The researchers demonstrated how an attacker could stage a malicious script and execute it via an apparently legitimate search. The attack method bypassed Antigravity’s Secure Mode.
“The same behavior can be triggered via indirect prompt injection without any prior compromise of the user’s account,” Pillar researchers explained. “A user pulls a benign-looking source file from an untrusted origin, such as a public repository, containing attacker-controlled comments that instruct the agent to stage and trigger the exploit.”
Antigravity’s popularity used for malware delivery
Researchers at Malwarebytes discovered that a Google search for Antigravity could lead users to a fake website set up to serve a trojanized installer.
They noticed that the domain google-antigravity(.)com, which hosts a fake Antigravity website, delivers an installer that actually installs the IDE platform. However, it also deploys two PowerShell scripts that enable attackers to deliver an additional payload: a stealer malware designed to harvest sensitive data from the compromised system.
The malware targets browser data (saved passwords, cookies and autofill data), messaging applications, cryptocurrency wallets, gaming platforms, and FTP clients.
“Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds,” Malwarebytes researchers explained.
They added, “It also includes the building blocks for ‘hidden desktop’ tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual.”
Related: Cursor AI Vulnerability Exposed Developer Devices
Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments
Related: OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack
