Google Antigravity, an ‘agent-first’ development platform, has recently drawn the attention of security researchers and cybercriminals due to a critical vulnerability discovered by Pillar Security, which allows attackers to escape the sandbox environment and remotely execute arbitrary code. This flaw, linked to insufficient input sanitization, was patched by Google in late February, but it highlighted potential threats, including the risk of indirect prompt injection through seemingly benign public repository files. Additionally, researchers at Malwarebytes reported that users searching for Antigravity could be misled to a fake site providing a trojanized installer that not only installs the platform but also deploys PowerShell scripts designed to steal sensitive data from various online platforms, demonstrating the malware’s capabilities in keystroke logging and creating hidden desktops for stealthy operations.

Malwarebytes: Malwarebytes is a cybersecurity firm offering antivirus, anti-malware protection, and threat intelligence for detecting advanced threats across devices. They analyzed a fake Google Antigravity website at google-antigravity.com that serves trojanized installers deploying stealer malware to harvest browser data, cryptocurrency wallets, and enable clipboard hijacking, keystroke logging, and hidden desktop control.
Pillar Security: Pillar Security is a cybersecurity platform focused on protecting AI applications and the agentic workforce through full-lifecycle security from design to runtime. In the context of this news, researchers from Pillar Security discovered and disclosed a critical vulnerability in Google Antigravity that enabled attackers to escape the sandbox and execute arbitrary code via prompt injection in untrusted source files.
Google Antigravity: Google Antigravity is an agentic development platform that transforms the traditional IDE into a control center for autonomous AI agents powered by Gemini, enabling developers to delegate multi-step engineering tasks for planning, execution, and verification. Its growing adoption has drawn attention from security researchers who identified a sandbox escape vulnerability due to poor input sanitization in a file search parameter, allowing remote code execution even in Secure Mode. The platform was also targeted by cybercriminals using fake websites to distribute trojanized installers.

Attack Vectors: Attackers exploited indirect prompt injection by embedding malicious instructions in benign-looking public repository files and used typosquatted domains mimicking official searches for Antigravity.
Malware Capabilities: The trojanized installer deploys PowerShell scripts for data theft from browsers, messaging apps, crypto wallets, and includes tools for keystroke logging, clipboard hijacking, and creating hidden desktops.
Vulnerability Details: The Antigravity flaw involved insufficient input sanitization in a parameter, allowing command injection during file searches to stage and execute malicious scripts.