Overview
- Google’s Antigravity IDE, disclosed by Pillar Security in early January, was patched on February 28 after Google confirmed the issue and awarded a bug bounty.
- The bug sat in the find_by_name search tool, which passed the Pattern input straight to the fd utility and let attackers inject the -X exec flag to run arbitrary binaries.
- The search call ran as a native tool before Strict Mode limits kicked in, so the sandbox never saw it and the agent could execute code outside its intended guardrails.
- Pillar’s demo showed a full attack chain that used Antigravity’s allowed file-creation to plant a script and then trigger it through a search, opening the system calculator to prove command execution.
- Researchers warn prompt injection can arrive through a hijacked account or hidden text in files and web pages the agent reads, and separate reports flag a fake Antigravity download site that installs a real IDE plus data‑stealing malware, underscoring calls for execution isolation and strict auditing of tool parameters.