A developer’s routine cleanup task reportedly turned into a disaster after a small mistake in AI-generated code wiped an entire drive.
The incident, first described in a Reddit post, involved code generated by ChatGPT Codex (version 5.3). The user had asked for a simple PowerShell script to remove Python pycache folders. Instead, the script ended up deleting the contents of the user’s F: drive, including project files and Docker data.
What went wrong
According to the post, the issue came down to a subtle escaping problem in the path string. The generated script used a backslash () to escape quotation marks. That approach can work in certain command-line contexts, but things get messy when PowerShell calls cmd.exe via cmd /c. In this case, the escaping didn’t behave as intended. The path variable was effectively reduced to just \, which Windows interprets as the root of the current drive.
Combined with rmdir parameters for silent, recursive deletion, the command reportedly ran without prompting for confirmation. The result: everything under the drive’s root directory was removed.
It wasn’t a complex exploit or some obscure bug, just a small mismatch in how different Windows shells handle escaping.
The episode highlights a growing trend sometimes referred to as “vibecoding”. For simple tasks, that can save time. But when commands interact directly with the file system, small errors can escalate quickly.
PowerShell and cmd.exe don’t interpret escaping the same way. In native PowerShell, the correct escape character is typically the backtick (`), not a backslash. Mixing the two environments introduces edge cases that aren’t always obvious, even to experienced users.
There’s also the broader Windows command-line reality: destructive commands like rmdir or Remove-Item -Recurse -Force don’t necessarily include built-in safety checks unless explicitly configured to prompt.
The developer reportedly managed to recover some data from backups, but much of the drive’s contents were lost.
Incidents like this don’t mean AI coding tools are inherently unsafe. They do, however, reinforce a basic rule: always review generated scripts carefully. Running commands in a sandboxed directory first, or removing force/silent flags during testing, can help avoid worst-case scenarios.
AI can speed up workflows. But when it comes to file operations, a single misplaced character can still have outsized consequences.
Don’t miss a thing! Join our Telegram community for instant updates and grab our free daily newsletter for the best tech stories!
For more daily updates, please visit our News Section.
(Source)
