Overview
- Mindgard’s Aaron Portnoy showed a compromised project can replace the global mcp_config.json to execute code on every launch, persisting through uninstall until the file is manually removed.
- The technique targets Antigravity’s Visual Studio Code–style trusted workspace flow and was demonstrated on Windows and macOS.
- Google acknowledged separate risks where agents can be induced to exfiltrate local data via crafted content or run malicious commands via prompt injection.
- Antigravity, in public preview for macOS, Windows and Linux, orchestrates autonomous agents through a Manager Surface and an Editor View, with Chrome-driven verification and Artifacts for evidence.
- Security commentators say the episode highlights a broader trust-model failure in agentic tools and call for isolation, signed evidence and least-privilege controls.