GitHub Internal Repos Accessed After Employee Device Compromise

A poisoned VS Code extension became the entry point. Treat editor extensions as supply-chain risk, not convenienceware.

[ KEY POINTS ]

Attack path: a compromised employee endpoint via malicious VS Code extension, followed by access to internal repositories.
GitHub removed the malicious extension version and isolated the endpoint. Extension version pinning and review matter for dev machines.
No concrete customer-impact detail is available in the provided text. Actionable takeaway stays limited to workstation hardening.

Originalnews.hada.io/topic?id=29703Read original →

// related

#0001
#0001Agents & tools Google AI Forum31 minutes ago
`Antigravity` extension install and skill/plugin management issues reported
50radar
AntigravityAgentic development IDE — skill and plugin based workflows
Clean installs can fail to import VS Code extensions, and old skills need directory reshaping. The bigger tax is context pollution: plugins cannot be toggled off yet.
- VS Code extension import can fail on a clean Windows install; renaming ~/.antigravity to antigravity-ide is the stated workaround.
- Old global skills are recognized but hidden from the global skill list because Antigravity does not recursively scan skill folders.
- Skills now sit in plugin chunks; matching .gemini/config/plugins/science structure makes them appear as plugin:science.
- Plugins cannot be enabled or disabled, so every skill collection keeps adding context. That is a real cost for small-agent setups.
Source: discuss.ai.google.dev/t/more-antigravity-issues/145875Read original →
FIG-0011:1
50radar
FIG-0011:1
#0002
#0002Agents & tools Google AI Forum1 hour ago
`Antigravity IDE` update migration can fail on existing `mcp_config.json` symlink
40radar
Antigravity IDECoding-agent IDE — built around Google's Gemini ecosystem
Auto-update may break project access when the migration hits an existing symlink. Check the config path before updating; the blast radius is narrow but painful.
- Failure happens during the move from ~/.gemini/antigravity to ~/.gemini/antigravity-ide; existing mcp_config.json symlink triggers EEXIST.
- Reported on macOS darwin-arm64 while updating to 2.0.1; the wizard aborts mid-migration and blocks existing project opens.
- Practical workaround: inspect or remove the destination symlink before update. The app needs overwrite/unlink handling in its copy step.
Source: discuss.ai.google.dev/t/antigravity-bug-report-ide-wizarRead original →
FIG-0021:1
40radar
FIG-0021:1
#0003
#0003Agents & tools Google AI Forum2 hours ago
`Antigravity 2.0` Drops Integrated IDE Workflow
50radar
AntigravityAI coding tool — IDE-style workflow discussed on Google AI forum
The main app lost editor, terminal, and source control flow. Update only after checking whether your daily coding loop survives the split.
- Reports mention the editor workflow missing after Antigravity 2.0; that turns a coding agent into a slower app handoff.
- The IDE opens the wrong app, so project context switching becomes a real friction point during edits.
- No terminal or source control in the main app means core dev loops are split across tools.
Source: discuss.ai.google.dev/t/antigravity-2-0-removed-the-inteRead original →
FIG-0031:1
50radar
FIG-0031:1

GitHub Internal Repos Accessed After Employee Device Compromise

// related

`Antigravity` extension install and skill/plugin management issues reported

`Antigravity IDE` update migration can fail on existing `mcp_config.json` symlink

`Antigravity 2.0` Drops Integrated IDE Workflow