A method for exfiltrating sensitive data from AI-powered code execution environments using DNS queries has been demonstrated by security researchers, highlighting potential risks in cloud-based AI tooling. The Phantom Labs Research report published on 16 March 2026 focuses on AWS Bedrock AgentCore Code Interpreter and shows how attackers could bypass expected network restrictions in Sandbox Mode to retrieve data from cloud resources.
According to the researchers, this behaviour allows malicious instructions embedded in files to create a covert command-and-control channel via DNS resolutions that remain active even when outbound network connections are restricted. The attack can begin with a malicious CSV file whose embedded content influences the generated Python code, enabling the interpreter to communicate with an external C2 server through DNS queries.
The researchers demonstrated capabilities including whoami, listing S3 buckets, and extracting full file contents, including credentials and personal or financial information, while the environment still reports that network access is disabled.
AWS reviewed the research and said the behaviour reflects intended functionality rather than a vulnerability, updating its documentation to clarify Sandbox Mode’s limited external network access and DNS resolution, and recommending organisations migrate critical workloads from Sandbox to VPC mode while auditing active AgentCore instances.