惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Stack Overflow Blog
Stack Overflow Blog
GbyAI
GbyAI
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
F
Fortinet All Blogs
N
Netflix TechBlog - Medium
Martin Fowler
Martin Fowler
腾讯CDC
C
CERT Recently Published Vulnerability Notes
博客园 - 聂微东
L
LINUX DO - 热门话题
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
C
Cisco Blogs
A
Arctic Wolf
Latest news
Latest news
Jina AI
Jina AI
P
Proofpoint News Feed
博客园 - 叶小钗
Vercel News
Vercel News
T
Threat Research - Cisco Blogs
博客园 - 三生石上(FineUI控件)
K
Kaspersky official blog
C
Check Point Blog
H
Heimdal Security Blog
博客园 - Franky
小众软件
小众软件
The Register - Security
The Register - Security
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
The Hacker News
The Hacker News
T
The Exploit Database - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
Project Zero
Project Zero
G
GRAHAM CLULEY
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Scott Helme
Scott Helme
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution
info@thehack · 2026-04-21 · via The Hacker News

Ravie LakshmananApr 21, 2026Vulnerability / Artificial Intelligence

Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution.

The flaw, since patched, combines Antigravity's permitted file-creation capabilities with an insufficient input sanitization in Antigravity's native file-searching tool, find_by_name, to bypass the program's Strict Mode, a restrictive security configuration that limits network access, prevents out-of-workspace writes, and ensures all commands are being run within a sandbox context.

"By injecting the -X (exec-batch) flag through the Pattern parameter [in the find_by_name tool], an attacker can force fd to execute arbitrary binaries against workspace files," Pillar Security researcher Dan Lisichkin said in an analysis.

"Combined with Antigravity's ability to create files as a permitted action, this enables a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands."

The attack takes advantage of the fact that the find_by_name tool call is executed before any of the constraints associated with Strict Mode are enforced and is instead interpreted as a native tool invocation, leading to arbitrary code execution. While the Pattern parameter is designed to accept a filename search pattern to trigger a file and directory search using fd through find_by_name, it's undermined by a lack of strict validation, passing the input directly to the underlying fd command.

An attacker could, therefore, leverage this behavior to stage a malicious file and inject malicious commands into the Pattern parameter to trigger the execution of the payload.

"The critical flag here is -X (exec-batch). When passed to fd, this flag executes a specified binary against each matched file," Pillar explained. "By crafting a Pattern value of -Xsh, an attacker causes fd to pass matched files to sh for execution as shell scripts."

Cybersecurity

Alternatively, the attack can be initiated via an indirect prompt injection without having to compromise a user's account. In this approach, an unsuspecting user pulls a seemingly harmless file from an untrusted source that contains hidden attacker-controlled comments instructing the artificial intelligence (AI) agent to stage and trigger the exploit.

Following responsible disclosure on January 7, 2026, Google addressed the shortcoming as of February 28.

"Tools designed for constrained operations become attack vectors when their inputs are not strictly validated," Lisichkin said. "The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content."

The findings coincide with the discovery of a number of now-patched security flaws in various AI-powered tools -

  • Anthropic Claude Code Security Review, Google run-gemini-cli (formerly Gemini CLI Action), and GitHub Copilot Agent have been found vulnerable to prompt injection via GitHub comments, allowing an attacker to turn pull request (PR) titles, issue bodies, and issue comments into attack vectors for API key and token theft. The prompt injection attack has been codenamed Comment and Control, as it weaponizes an AI agent's elevated access and its ability to process untrusted user input to execute malicious instructions. 
  • "The pattern likely applies to any AI agent that ingests untrusted GitHub data and has access to execution tools in the same runtime as production secrets -- and beyond GitHub Actions, to any agent that processes untrusted input with access to tools and secrets: Slack bots, Jira agents, email agents, deployment automation," security researcher Aonan Guan said. "The injection surface changes, but the pattern is the same."
  • Another vulnerability in Claude Code, discovered by Cisco, is capable of poisoning the coding agent's memory and maintaining persistence across every project and every session, even after a system reboot. The attack essentially utilizes a software supply chain attack as an initial access vector to launch a malicious payload that can tamper with the model's memory files for malicious purposes (e.g., framing insecure practices as necessary architectural requirements) and appends a shell alias to the user's shell configuration.
  • AI code editor Cursor has been found susceptible to a critical living-off-the-land (LotL) vulnerability chain dubbed NomShub that makes it possible for a malicious repository to clandestinely hijack a developer's machine by leveraging a mix of indirect prompt injection, a command parser sandbox escape via shell builtins like export and cd, and Cursor's built-in remote tunnel, granting the attacker persistent, undetected shell access simply upon opening the repository in the IDE.
  • Once persistent access is obtained, the attacker can connect to the machine without triggering the prompt injection again or raising any security alerts. Because Cursor is a legitimate binary that's signed and notarized, the adversary has unfettered access to the underlying host, gaining full file system access and command execution capabilities.
  • "A human attacker would need to chain together multiple exploits and maintain persistent access," Straiker researchers Karpagarajan Vikkii and Amanda Rousseau said. "The AI agent does this autonomously, following the injected instructions as if they were legitimate development tasks."
  • A novel attack called ToolJack has been found to allow a local attacker to manipulate an AI agent's perception of its environment and corrupts the tool's ground truth to produce unintended downstream effects, including poisoned data, fabricated business intelligence, and bogus recommendations.
  • "Where MCP Tool Shadowing poisons tool descriptions to influence agent behavior across servers and ConfusedPilot contaminates a RAG retrieval pool, ToolJack operates as a real-time infrastructure attack on the communication conduit itself," Preamble researcher Jeremy McHugh said. "It does not wait for the agent to organically encounter poisoned data. It synthesizes a fabricated reality mid-execution, demonstrating that compromising the protocol boundary yields control over the agent's entire perception."
  • Severe indirect prompt injection vulnerabilities have been identified in Microsoft Copilot Studio (aka ShareLeak or CVE-2026-21520, CVSS score: 7.5) and Salesforce Agentforce (aka PipeLeak) that could enable attackers to exfiltrate sensitive data through an external SharePoint form or a simple lead from a form submission, respectively.
  • "The attack exploits the lack of input sanitization and inadequate separation between system instructions and user-supplied data," Capsule Security researcher Bar Kaduri said about CVE-2026-21520. PipeLeak is similar to ForcedLeak in that the system processes public-facing lead form inputs as trusted instructions, thus allowing an attacker to embed malicious prompts that override the agent's intended behavior.
  • A trio of vulnerabilities have been identified in Claude that, when chained together in an attack codenamed Claudy Day, allow an attacker to silently hijack a user's chat session and exfiltrate sensitive data with a single click. The attack pipeline requires no additional integrations, tools, or Model Context Protocol (MCP) servers.
  • The attack works by embedding hidden instructions in a crafted Claude URL ("claude[.]ai/new?q=..."), encapsulating it in an open redirect on claude[.]com to make it appear legitimate, and then running it as a benign-looking Google ad that, when clicked, triggers the attack by silently redirecting the victim to the crafted "claude[.]ai/new?q=..." URL containing the invisible prompt injection.
  • "Combined with Google Ads, which validates URLs by hostname, this allowed an attacker to place a search ad displaying a trusted claude.com URL that, when clicked, silently redirected the victim to the injection URL. Not a phishing email. A Google search result, indistinguishable from the real thing," Oasis Security said.

Cybersecurity

In research published last week, Manifold Security also revealed how a Claude-powered GitHub Actions workflow ("claude-code-action") can be tricked into approving and merging a pull request containing malicious code with just two Git configuration commands by spoofing a trusted developer's identity.

At its core, the attack entails setting Git's user.name and user.email properties to those of a well-known developer (in this case, AI researcher Andrej Karpathy). This metadata trickery becomes a problem when an AI system treats it as a signal of trust. An attacker could exploit this unverified metadata to deceive the AI agent into executing unintended actions.

"On the first submission, Claude flagged the PR for manual review, noting that author reputation alone wasn't sufficient justification," researchers Ax Sharma and Oleksandr Yaremchuk said. "Reopening and resubmitting the same PR led to its approval. The AI overrode its own better judgment on retry. This non-determinism is the point. You cannot build a security control on a system that changes its mind."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.