Security Firm Warns Google's IDE Antigravity Can Leak Sensitive Data via Prompt-Injection Exploit
Interestingly, Google developers are reportedly barred from using the public Antigravity IDE and must instead rely on an internal alternative called Jetski.
Security researchers at PromptArmor have uncovered a major vulnerability in Google’s new AI-powered coding tool, Google Antigravity, that allows attackers to exfiltrate credentials and private code — even when standard safeguards are enabled.
"An indirect prompt injection in an implementation blog can manipulate Antigravity to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE," the company said.
Antigravity, powered by the AI model Gemini, is designed to help developers by analyzing code and supporting integrations. But PromptArmor demonstrated that a poisoned implementation guide, for example, a seemingly innocuous documentation page can hide invisible malicious instructions. When a user loads this page as a reference, Gemini may be tricked into launching a browser subagent that silently steals sensitive files.
In the described attack chain, the manipulated AI accesses protected files (like .env files excluded from version control), dumps their contents via terminal commands, encodes the data into a URL, and sends it to a domain controlled by the attacker. The user may never notice, especially if multiple agents run in the background unchecked.
Even default security configurations, including blocklists and ignore-file protections, failed to stop the exploit. PromptArmor warns that AI tools with broad file and browser permissions pose inherent risks. “Traditional Data Loss Prevention protocols become effectively obsolete,” the company said.
The revelation has triggered concern across the developer community, many of whom rely on AI tooling for productivity. Several call the Antigravity release rushed and insecure, calling for immediate patches or safer defaults.
Interestingly, Google developers are reportedly barred from using the public Antigravity IDE and must instead rely on an internal alternative called Jetski, which includes Google-specific features. Antigravity sign-ups using @google.com accounts are explicitly prohibited.
Comments ()