Google Fixes Antigravity IDE Flaw Enabling Code Execution

Google has patched a critical vulnerability in its AI-powered development environment, Antigravity IDE. The flaw allowed attackers to exploit prompt injection techniques and achieve arbitrary code execution, raising fresh concerns about the security of AI-driven coding tools.

This issue highlights a growing trend in the cybersecurity landscape—AI agents becoming unintended attack surfaces when input validation is weak or security assumptions fail.

The vulnerability was discovered by researchers at Pillar Security, who found that attackers could bypass Antigravity’s Strict Mode, a security feature designed to limit risky operations.

Strict Mode in Antigravity is supposed to:

• Restrict network access
• Prevent file writes outside the workspace
• Ensure all commands run in a sandboxed environment

However, the flaw allowed attackers to bypass these protections using the IDE’s built-in file search tool, find_by_name.

The root cause? Improper input sanitization.

At the core of the exploit was the misuse of a parameter called Pattern in the find_by_name tool. Instead of strictly validating input, the tool passed user input directly to an underlying system command (fd), creating a dangerous loophole.

Attackers could inject a special flag:

• -X (exec-batch)

This flag forces the system to execute commands on matched files.

According to researcher Dan Lisichkin, an attacker could:

1. Create a malicious script inside the workspace
2. Inject a crafted Pattern value (e.g., -Xsh)
3. Trigger execution via a seemingly harmless file search

This creates a complete attack chain:

• Stage payload → Trigger execution → Gain control

Even more concerning, this happens before Strict Mode protections are enforced, making the exploit highly effective.

One of the most dangerous aspects of this vulnerability is that it doesn’t require direct access to a user’s account.

Attackers can use indirect prompt injection, where:

• A developer downloads a harmless-looking file
• The file contains hidden instructions
• The AI agent interprets those instructions as legitimate tasks

This allows attackers to manipulate the AI system silently, without raising suspicion.

• Reported: January 7, 2026
• Patched by Google: February 28, 2026

Google has since fixed the issue, but the incident exposes deeper risks in AI-based development tools.

This is not an isolated case. Multiple AI tools, including those from Anthropic and Microsoft, have recently faced similar vulnerabilities.

AI coding assistants like GitHub Copilot and Claude Code were found vulnerable to malicious instructions hidden in:

• Pull request titles
• Issue comments
• Repository content

Attackers could steal API keys and tokens by tricking AI agents into executing unauthorized actions.

Researchers found that AI tools can be manipulated to store malicious instructions in memory, affecting:

• Future sessions
• Multiple projects

This creates long-term persistence similar to advanced malware.

The AI code editor Cursor IDE was impacted by a vulnerability chain called NomShub, which allowed:

• Silent system takeover
• Persistent shell access
• Full file system control

Simply opening a malicious repository could compromise a developer’s machine.

A newer attack method called ToolJack can:

• Alter how AI agents perceive their environment
• Inject fake data in real-time
• Generate misleading outputs

This goes beyond data poisoning and directly manipulates AI decision-making.

Tools like Microsoft Copilot Studio and Salesforce Agentforce were found vulnerable to indirect prompt injection that could:

• Leak sensitive data
• Override system instructions
• Exploit poor separation between user input and system logic