Fake Google Antigravity Installer Can Steal Accounts in Minutes

The recent wave of fake Google Antigravity downloads illustrates how quickly a popular developer tool can become a lure for cybercriminals. By registering the look‑alike domain google‑antigravity.com, attackers exploit typosquatting to present a seemingly authentic installer. The package contains the genuine Antigravity application, but a concealed PowerShell component is added during repackaging. This technique mirrors earlier campaigns that target newly released software, where the buzz around the product drives traffic to unverified sites. As a result, even seasoned developers may unwittingly introduce malware onto otherwise clean machines.

Once the installer runs, the hidden PowerShell script contacts attacker‑controlled servers and downloads a second‑stage payload. The payload disables standard Windows protections, then harvests browser cookies, saved passwords, cryptocurrency wallet files, and FTP credentials. Because session cookies are captured, attackers can impersonate users without needing passwords or multi‑factor authentication, achieving account takeover in minutes. Additional capabilities such as clipboard hijacking, keylogging, and stealth desktop sessions give threat actors persistent, low‑visibility access to corporate and personal environments.

The campaign underscores the urgency for organizations to enforce strict download hygiene and endpoint monitoring. Security teams should educate users to verify URLs, use code‑signing verification, and employ application whitelisting. Enterprises can mitigate risk by deploying browser extensions that flag known typosquatted domains and by regularly rotating API keys and session tokens. As AI‑generated tools like Antigravity gain traction, the attack surface will expand, making proactive threat intelligence and rapid incident response essential components of any modern cybersecurity strategy.