AI Security Research on Jashid Sany

AI Security Research on Jashid Sany https://jashidsany.com/security-research/ai-security/ Recent content in AI Security Research on Jashid Sany Hugo en-us Sun, 15 Mar 2026 00:00:00 +0000 Windsurf Cascade: Indirect Prompt Injection and Credential Exfiltration via Github Gists https://jashidsany.com/security-research/ai-security/windsurf-indirect-prompt-injection-blog/ Sun, 15 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/windsurf-indirect-prompt-injection-blog/ How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with zero user interaction. Windsurf Cascade: Overly Permissive IDE Agent Bypasses Auto Execution Controls https://jashidsany.com/security-research/ai-security/windsurf-overly-permissive-agent-blog/ Sun, 15 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/windsurf-overly-permissive-agent-blog/ Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is cosmetic: files exist on disk before the user can reject. Claude Code Finding 1: Silent Command Execution via .mcp.json Trust Model https://jashidsany.com/security-research/ai-security/claude-code-finding-1-mcp-rce/ Thu, 12 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/claude-code-finding-1-mcp-rce/ How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval. Claude Code Finding 2: MCP Blanket Trust Escalation via enableAllProjectMcpServers https://jashidsany.com/security-research/ai-security/claude-code-finding-2-mcp-trust-escalation/ Thu, 12 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/claude-code-finding-2-mcp-trust-escalation/ How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent. Claude Code Finding 3: MCP Tool Confirmation Prompt Misrepresentation Enables Arbitrary Code Execution https://jashidsany.com/security-research/ai-security/claude-code-finding-3-mcp-prompt-mismatch/ Thu, 12 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/claude-code-finding-3-mcp-prompt-mismatch/ A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands. Claude Code Finding 4: Remote Control Session Hijacking via Missing Per-Session Authentication https://jashidsany.com/security-research/ai-security/claude-code-finding-4-session-hijack/ Thu, 12 Mar 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/claude-code-finding-4-session-hijack/ The Claude Code remote-control session events endpoint lacks per-session authentication, enabling invisible remote command execution from any machine on the internet.