What is Antigravity, Google’s new agentic AI coding platform raising fresh security concerns? | Technology News

The safety flaw reportedly has to do with Antigravity’s requirement that customers work inside a ‘trusted workspace’. As soon as that workspace is compromised, it might probably “silently embed code that runs each time the applying launches, even after the unique challenge is closed,” Portnoy mentioned in a weblog publish on Wednesday, November 26.

The vulnerability will be exploited on each Home windows and Mac PCs, he added.

Since final 12 months, software program engineers and builders are more and more utilizing AI-powered instruments to generate and edit code. Generative AI can be being constructed instantly into growth terminals and coding workspaces, with a shift towards AI coding brokers already taking form.

Nonetheless, chief data officers at giant firms are hesitant at hand over key components of their operations to AI brokers as they may go rogue or get hijacked for malicious use. In July this 12 months, an AI coding agent developed by Replit wiped a person’s total reside database with out warning regardless of a transparent directive file particularly stating, “No extra adjustments with out specific permission.”

“Once you mix agentic behaviour with entry to inside sources, vulnerabilities turn out to be each simpler to find and much more harmful,” Portnoy was quoted as saying by Forbes. “The pace at which we’re discovering essential flaws proper now seems like hacking within the late Nineteen Nineties. AI programs are transport with monumental belief assumptions and nearly zero hardened boundaries,” he added.

What’s Antigravity?

Alongside its extremely anticipated launch of Gemini 3, Google on November 18, launched its new AI-powered coding software that comes with a brand new ‘agent-first’ interface. Customers can work together with their code in two methods by the platform: Editor View and Supervisor Floor. Editor View permits customers to be extra hands-on, with Antigravity serving as an AI-powered IDE (built-in growth surroundings) with tab completions and inline instructions for a synchronous workflow.

In Supervisor Floor mode, customers can deploy a number of brokers that may work autonomously throughout completely different workspaces. For example, an AI agent can generate code for a brand new app characteristic, use the terminal to launch the app, and use the browser to check and confirm whether or not the characteristic works as anticipated – all with out synchronous human intervention, as per Google.

Notably, customers can customise the extent of autonomy they’ve over Antigravity’s built-in AI brokers, with ‘Agent-assisted growth’ mode being the default setting and ‘Evaluate-driven growth’ being probably the most restrictive setting.

What have safety specialists discovered?

Since Antigravity is constructed on prime of Visible Studio Code, an open-source code editor, customers are prompted to mark supply code folders as ‘trusted’ or ‘not trusted’ after opening them. In keeping with Portnoy, most customers might be compelled to say they belief the supply code even when they didn’t, as clicking ‘not trusted’ would make the AI options that include Antigravity inaccessible.

In his experiment, Portnoy started by focusing on one in every of Antigravity’s system prompts (a set of pre-defined directions for the AI agent to observe) which states that the AI agent should all the time observe user-defined guidelines “with out exception”. This led to Portnoy rigorously crafting a malicious person instruction that coerced the AI agent into changing the worldwide MCP (Mannequin Context Protocol) configuration file with a malicious file positioned throughout the challenge – all with out requiring any person intervention, holding the potential assault out of sight.

“As soon as this file has been positioned, it’s persistent. Any future launch of Antigravity, no matter whether or not a challenge is opened and no matter any belief setting will trigger the command to be executed. Even after an entire uninstall and re-install of Antigravity, the backdoor stays in impact. The person should concentrate on and delete the malicious mcp_config.json file manually to take away it,” Portnoy mentioned.

How has Google responded?

Following stories that Antigravity may doubtlessly be hijacked for malicious use, a Google spokesperson advised The Indian Categorical, “The Antigravity staff takes all safety points significantly. We actively encourage exterior safety researchers and bug hunters to report vulnerabilities so we are able to establish and handle them shortly. Within the spirit of transparency, we publish these publicly to our website as we work to repair them and supply real-time updates as we implement options.”

On its bug-hunting web page, Google mentioned it’s already conscious of two different types of security-related points concerning Antigravity. The primary recognized problem is utilizing the Antigravity agent to exfiltrate knowledge by finishing up oblique immediate injection assaults. This problem was individually flagged by one other cybersecurity startup known as Immediate Armor.

“Working with untrusted knowledge can have an effect on how the agent behaves. When supply code, or another processed content material, comprises untrusted enter, Antigravity’s agent will be influenced to observe these directions as a substitute of the person’s,” Google mentioned. The agent will be influenced to “leak knowledge from recordsdata on the person’s laptop in maliciously constructed URLs rendered in Markdown or by different means,” it added.

The second recognized problem is utilizing the Antigravity agent to run malicious code by way of immediate injection assaults. “Antigravity agent has permission to execute instructions. Whereas it’s cautious when executing instructions, it may be influenced to run malicious instructions,” the tech large acknowledged.