Windsurf Cascade: Indirect Prompt Injection and Credential Exfiltration via Github Gists
How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with zero user interaction.