Snowflake Cortex AI Escapes Sandbox and Executes Malware via Prompt Injection
simonwillison.net·high signal
PromptArmor disclosed a prompt injection attack chain in Snowflake's Cortex Agent where injecting text into a README manipulates the agent to download and execute malicious scripts using victim credentials — bypassing the approval gate via process substitution expressions. The exploit enables data exfiltration and table drops with no user confirmation. Fixed in Cortex Code CLI v1.0.25 on February 28, 2026, just two days after the tool's launch.