Google Patches Prompt Injection RCE in Antigravity AI IDE

Google has shipped a patch for its Antigravity IDE addressing a prompt injection vulnerability that allowed attackers to achieve arbitrary code execution on developer machines. The flaw let crafted inputs embedded in files, documentation, or external content hijack the AI assistant’s instruction context and coerce it into executing attacker-controlled commands through the IDE’s tool-calling surface.

The bug sits at the intersection of two trust boundaries that AI-integrated development tools routinely blur: the line between data the assistant reads and instructions it obeys, and the line between the assistant’s reasoning and the host system’s execution privileges. When an IDE grants its embedded model the ability to run shell commands, edit files, or invoke build tooling, a successful prompt injection is no longer a chatbot curiosity — it is a remote code execution primitive triggered by opening a poisoned repository or reviewing attacker-supplied content.

The patch closes the specific vector Google identified, but the structural problem persists across the category. Agentic IDEs that treat untrusted content as part of the prompt context while simultaneously exposing privileged tool access will keep generating these bugs until the architecture enforces a hard separation between instruction channels and data channels, or constrains tool invocation behind explicit, non-bypassable user confirmation.