Just hours after launch, an AI-powered integrated development environment has already had several latent critical vulnerabilities discovered.
According to a Forbes report, security researcher Aaron Portnoy has demonstrated a critical vulnerability that let malicious code modify Google’s AI-powered integrated development environment’s configuration and establish a persistent backdoor.
This flaw can enable malware installation or spying on both Windows and macOS systems if a user has marked code as “trusted.”
Because the Antigravity integrated development environment (IDE) requires users to trust code to unlock its core AI features, attackers can combine this with social engineering — posing as helpful developers — to get victims to run compromised snippets.
The flaws were discovered within hours of the IDE launch, prompting urgent warnings from security researchers and renewing concern about the safety of AI-driven development tools.
Independent researcher Johann Rehberger and others have documented additional issues:
- Remote command execution via indirect prompt injection
- Data exfiltration through the IDE’s browser and URL-reading tools
- The ability to follow hidden instructions embedded with invisible Unicode characters.
These problems allow attackers to exfiltrate secrets from files like .env by tricking the IDE into reading local files and sending their contents to attacker-controlled servers. Experts argue these flaws highlight a broader pattern of AI agents and coding copilots being shipped with weak boundaries and heavy trust assumptions, reminiscent of the lax security culture of the late 1990s.
Some recommend that developers temporarily avoid Antigravity or at least disable auto-execution features and treat AI agents as untrusted until vendors harden their designs and improve testing.
In the meantime, Google has listed data exfiltration and prompt-injection-based code execution as “known issues” on its bug reporting portal and characterized some behavior patterns as “intended,” but has not shipped a comprehensive patch as of late November 2025.
Researchers note that some of these vulnerabilities were already known in Windsurf months before Google licensed it, raising questions about why Antigravity launched without mitigations.
