Google Fixes AI Coding Tool Flaw That Let Attackers Execute Malicious Code: Report
Researchers say a prompt injection bug in Google's Antigravity AI coding tool could have let attackers run commands, despite safeguards.
By Jason NelsonEdited by Andrew HaywardApr 21, 2026Apr 21, 20263 min read
In brief
- Researchers found a prompt injection vulnerability in Google’s Antigravity AI coding platform.
- The flaw could allow attackers to execute commands even with the platform’s Secure Mode enabled.
- Google fixed the issue Feb. 28 after researchers disclosed it in January, Pillar Security said.
Google has patched a vulnerability in its Antigravity AI coding platform that researchers say could allow attackers to run commands on a developer’s machine through a prompt injection attack.
According to a report by Cybersecurity firm Pillar Security, the flaw involved Antigravity’s find_by_name file search tool, which passed user input directly to an underlying command-line utility without validation. That allowed malicious input to convert a file search into a command execution task, enabling remote code execution.
“Combined with Antigravity's ability to create files as a permitted action, this enables a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands,” Pillar Security researchers wrote.
Launched last November, Antigravity is Google’s AI-powered development environment designed to help programmers write, test, and manage code with the assistance of autonomous software agents. Pillar Security disclosed the issue to Google on January 7, and Google acknowledged the report the same day, marking the issue as fixed on February 28.
Google did not immediately respond to a request for comment by Decrypt.
Prompt injection attacks occur when hidden instructions embedded in content cause an AI system to perform unintended actions. Because AI tools often process external files or text as part of normal workflows, the system may interpret those instructions as legitimate commands, allowing an attacker to trigger actions on a user’s machine without direct access or additional interaction.
The threat of prompt injection attacks for large language models came into renewed focus last summer when ChatGPT developer OpenAI warned that its new ChatGPT agent could be compromised.
“When you sign ChatGPT agent into websites or enable connectors, it will be able to access sensitive data from those sources, such as emails, files, or account information,” OpenAI wrote in a blog post.
To demonstrate the Antigravity issue, the researchers created a test script inside a project workspace and triggered it through the search tool. When executed, the script opened the computer’s calculator application, showing that the search function could be turned into a command execution mechanism.
“Critically, this vulnerability bypasses Antigravity's Secure Mode, the product's most restrictive security configuration,” the report said.
The findings highlight a broader security challenge facing AI-powered development tools as they begin to execute tasks autonomously.
“The industry must move beyond sanitization-based controls toward execution isolation. Every native tool parameter that reaches a shell command is a potential injection point,” Pillar Security said. “Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely.”
