21.04.2026
2 min
238
Google has fixed a serious vulnerability in its AI-focused development environment Antigravity that allowed arbitrary code execution via prompt injection attacks.
Researchers have identified a serious vulnerability in Google’s latest developer platform for artificial intelligence, called Antigravity. Because of this flaw, attackers could use Antigravity by making typical actions (using the file-creation feature) and passing weakly validated information through Antigravity’s integrated “find_by_name” search option.
Because Antigravity allows users to create files using its default permissions, researchers used the file creation function as one component of their attack, while also exploiting the lack of input validation in Antigravity’s built-in “find_by_name” search. Using this method, the researchers were able to circumvent Antigravity’s “strict mode,” a security measure that restricted network connections, prohibited writing outside of the workspace, and ran each command in a secure sandbox.
According to researcher Dan Lisichkin, the researchers needed only to add a specific type of malformed argument with the “-X” flag to the “Pattern” variable in order to get the “fd” utility to execute an arbitrary binary executable contained in the workspace. The researchers had successfully injected their own script into Antigravity, and used Antigravity’s “find_by_name” function to disguise execution of the malicious script as a legitimate file search operation. Although the attacks appear to be relatively straightforward, they are certainly extremely hazardous.
First, a malicious file was created, and then it was launched as part of a legitimate Antigravity operation, using the “find_by_name” function. Once the malicious file was created, no further user interaction was required after the malicious content was introduced into the workflow.
In essence, because “find_by_name” was called prior to when the Antigravity “strict_mode” processing began to apply, Antigravity treated the “find_by_name” call as if it came from an internal tool rather than from a user. Therefore, Antigravity did allow commands to be executed. However, instead of being treated like a typical search pattern (the intended purpose of the “Pattern”) the input to “Pattern” was sent directly to the “fd” command without proper validation. As such, there existed opportunity for exploitation.
For instance, using the “-Xsh” flag would allow Antigravity to send the files that were found using “find_by_name”, to be executed as scripts on the “sh” shell. Therefore, executing the malicious code became just another part of what you would normally expect Antigravity to do.
Additionally, the researchers described another way to potentially exploit Antigravity that requires hackers to gain access to a user’s account. Hackers need only to trick the user into opening a file from an untrustworthy source. It is possible that within these files are embedded instructions or payloads that can be interpreted by Antigravity’s AI agent as a command. If so, it becomes entirely possible for the hacker to initiate exploitation autonomously.
On January 7th, 2026, Google was informed about this potential threat and fully resolved this threat by closing off all avenues of entry on February 28th.
A very important point made by Lisichkin is that: when tools designed for specific purposes fail to validate input, they provide an easy target for those who seek to use them against you. Furthermore, because AI systems do not rely upon humans for interpretation and execution of commands from external sources; these vulnerabilities represent an even greater risk.
Similar incidents have occurred before with other AI tools. A few examples include “Commenting and Control” – this is when malicious instructions were introduced into GitHub comments via GitHub Commenting for Anthropic Claude, Google Gemini CLI and GitHub Copilot Agent. Malicious requests could then steal API Keys and Tokens.
In addition to these vulnerabilities, another issue arose from Claude Code. The issue was that there was a method to poison the memory of the agent so that any malicious changes made would persist even after a system restart. This leaves open the possibility of sustained attacks by manipulating the behavior of the model.
An additional example of the risks of using AI is the incident surrounding the Cursor Editor. Researchers identified a process they referred to as the NomShub Attack Chain. With this process, an attacker could obtain complete access to a developer’s computer simply by opening a repository. The researcher identified that standard system functions such as shell commands and remote access were used to accomplish the attack. Therefore, because the attack did not leave any obvious signs of exploitation (i.e., logs), it was nearly undetectable. Once exploited, the attacker had unrestricted access to all files, the ability to run commands, and unlimited persistence without needing to perform repeated attacks.
Researchers identified a similar exploit within Microsoft Copilot Studio and Salesforce Agentforce. Through indirect implementation of searches, users’ sensitive information can be obtained by querying their accounts through normal forms or integrations. The risk lies in that both applications do not provide a distinct separation between what constitutes input (queries) versus output (results).
A final example of the potential risks associated with using AI is Claudy Day. Claudy Day is an exploit of Claude where a user’s session is intercepted by clicking on a specifically created link designed to look like a legitimate link. In some instances, attackers even utilized Google Ads to spread these types of links through paid search ads.
Finally, researchers demonstrated how AI agents may err in their assessment of trust. An example of this includes GitHub Actions based on Claude. The researchers demonstrated that a malicious script was approved by the system based solely on the replacement of the authors name and email address with those belonging to a trusted member of staff. Upon attempting to submit the script again, the AI agent reversed its previous judgment and ignored the potentially hazardous submission.
Once again, this demonstrates why relying on these type of systems as your sole security mechanism remains risky due to their unpredictable nature.
