Windsurf

Windsurf Cascade: Indirect Prompt Injection and Credential Exfiltration via Github Gists

How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with zero user interaction.

Windsurf Cascade: Overly Permissive IDE Agent Bypasses Auto Execution Controls

Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is cosmetic: files exist on disk before the user can reject.