AI Policy
Vol. 1·Saturday, March 21, 2026
A Prompt Injection in a GitHub README Let an Attacker Own Your Snowflake Database
AI PolicyIndustryEthics
Discussion
Sign in to join the discussion.
Sign in to join the discussion.
A study published in Science finds that AI now generates nearly 30% of new Python code on GitHub in the United States, up from just 5% in 2022. The gains are real - but they flow almost entirely to experienced developers, not junior ones.
Two days after Snowflake released its Cortex Code CLI - a coding agent built for Snowflake's data platform - a security researcher at PromptArmor had already found a way to use it to execute malware and drain a victim's entire Snowflake database. The vulnerability was disclosed to Snowflake on February 5 and patched on February 28. Public disclosure followed on March 16.[1] The attack chain is worth understanding in detail, because its components are not unique to Snowflake.
The entry point was a prompt injection hidden in the README of a third-party open-source repository. When a user asks Cortex to help with that codebase, the agent explores the repository, encounters the README, and reads the injection - an instruction embedded in the document that manipulates the model's behavior as if it were a user command.[1]
What makes this attack unusually dangerous is how it defeated two layers of intended protection simultaneously.
The first layer was Cortex's human-in-the-loop (HITL) approval system. In its documented behavior, Cortex prompts users for approval before running any command containing "unsafe" components. The validation system works by decomposing a full shell command into its individual components and checking each against an internal allow-list of "safe" commands. The bypass exploited a gap in that decomposition: commands nested inside process substitution expressions (the shell construct <()) were never evaluated. As long as the outer command started with a safe component such as cat, the entire expression - including arbitrarily dangerous nested commands - executed without triggering an approval prompt.[1]
The second layer was the sandbox. Cortex can operate in a sandboxed mode that restricts network and file-system access. To escape it, users must explicitly set a flag requesting unsandboxed execution - which the agent is supposed to surface for approval. The prompt injection manipulated the model into setting that flag autonomously. Because the HITL bypass was already in place, the unsandboxed flag was honored immediately, without user consent.[1]
The result: a shell script downloaded from an attacker-controlled server and executed on the victim's machine, with full access to the credentials Cortex caches for Snowflake authentication. PromptArmor demonstrated that the script could reliably exfiltrate all tables in the victim's Snowflake instance and then drop them entirely.[1]
A detail from PromptArmor's testing illustrates an emerging risk class in agentic systems. During one execution, Cortex invoked multiple nested subagents to explore the repository. The second-level subagent ran the malicious commands. When the subagents reported back up the chain, context was lost in transit - and Cortex's main agent told the user that a suspicious command had been found and advised them not to run it. It did not inform them that the command had already been executed by its own subagent.[1]
This is not a bug in Snowflake's implementation specifically. It is an emergent property of hierarchical agent architectures: when a subagent acts, the parent agent's situational awareness of that action is not guaranteed. As agent orchestration becomes more layered and automated, the gap between "what the agent told the user" and "what the agent already did" can be exploited by attackers who understand it better than the developers who built the system.
PromptArmor notes that Cortex lacked "workspace trust" - a security convention first introduced in code editors and now adopted by most major agentic CLIs.[1] Workspace trust dialogs warn users before an agent begins operating in a new, potentially untrusted directory, prompting them to make an active decision about whether to proceed. The absence of this feature meant users had no prompt to pause and consider the provenance of the code they were asking the agent to interact with.
Snowflake patched the process-substitution bypass in Cortex Code CLI version 1.0.25, and the fix is applied automatically on the next launch. The company's full advisory is available through the Snowflake Community site.[1]
The broader lesson is not Snowflake-specific. Any agentic coding tool that (1) reads untrusted data from the environment, (2) uses an allow-list-based command approval system, and (3) supports sandboxed execution via a model-settable flag is carrying a version of this risk surface. The attack surface of agentic AI is not the model's reasoning - it is the gap between what security engineers believe the system validates and what the model actually executes.