Content
Within just 24 hours of Google’s launch of Antigravity, an AI coding tool powered by its Gemini large language model, security researcher Aaron Portnoy uncovered a critical vulnerability posing severe risks to users. By manipulating Antigravity’s configuration, Portnoy demonstrated how malicious source code could create a persistent backdoor, enabling hackers to inject malware such as spyware or ransomware on both Windows and Mac computers. The attack required only that a user run a piece of rogue code once and label it as “trusted,” a social engineering tactic commonly used by cybercriminals. This flaw highlights the dangers of rapidly deploying AI tools without thorough security vetting, exposing users to potentially devastating breaches.
Portnoy reported the flaw to Google, which initiated an investigation but, at the time of reporting, had not released a patch or identified settings to mitigate the vulnerability. The backdoor created by the malicious code would automatically reload whenever a user opened any Antigravity project or issued even the simplest prompt, persisting through reinstalls unless the user manually removed the backdoor. This persistence significantly raises the threat level as uninstalling or reinstalling the application alone is insufficient to eliminate the risk. Alongside Portnoy’s findings, Google acknowledged at least two other vulnerabilities in Antigravity that allow malicious code to access and steal files from users’ machines.
Experts in AI security, such as Gadi Evron, cofounder and CEO of Knostic, emphasize that AI coding assistants often rely on outdated technologies and are released with insufficient security hardening. This creates a fertile environment for attackers due to the broad access these agents have to corporate networks and sensitive data. The rush to release AI tools has led to a cat-and-mouse dynamic where cybersecurity researchers scramble to identify and expose security holes before hackers can exploit them. Portnoy compared the current wave of AI vulnerabilities to hacking in the late 1990s, noting that these AI systems operate with enormous trust assumptions and minimal protective boundaries.
The problem extends beyond Google. Similar vulnerabilities have been found in competing AI coding assistants, such as Cline, where hackers have also been able to install malware. The architecture of AI agents — capable of autonomously performing sequences of tasks — combined with their access to internal resources, increases the risk and impact of exploitation. Social engineering remains a key vector, as demonstrated by recent warnings of fake recruiters using LinkedIn to deliver malicious code disguised as legitimate job-related materials.
Portnoy criticizes Google’s current approach, which requires users to trust the code they load into Antigravity to access its AI features. He explains that this trust mechanism is insufficient because users who decline to trust code are barred from using the tool’s advanced capabilities, essentially forcing them to accept potential risks. Unlike traditional integrated development environments like Microsoft’s Visual Studio Code, which can function with untrusted code, Antigravity’s design funnels users into a vulnerable position. Portnoy recommends that Google implement explicit warnings anytime Antigravity executes code on a user’s machine, beyond the simplistic trusted code prompt.
Interestingly, when faced with Portnoy’s malicious code, Antigravity’s AI itself recognized the conflict between its operational rules and the request to override code on a user’s system. The AI described this as a “catch-22,” illustrating the logical contradictions that can be exploited by attackers to bypass safeguards. Portnoy’s findings reveal a fundamental design weakness in AI agents where conflicting constraints lead to paralysis, an exploitable loophole.
As AI coding assistants become increasingly integrated into software development workflows, the discovery of multiple vulnerabilities across competing products underscores the urgent need for the AI industry to prioritize robust security measures. Portnoy and his team continue to uncover numerous weaknesses, reflecting a broader industry challenge where innovation outpaces the development of adequate protections against emerging cyber threats.
