Clinejection: How a GitHub Issue Title Compromised 4,000 Developer Machines via AI Prompt Injection

A five-step supply chain attack dubbed "Clinejection" compromised 4,000 developer machines in February 2026 after a malicious GitHub issue title injected a prompt into Cline's AI triage bot, eventually leading to the theft of npm, VS Code Marketplace, and OpenVSX publish tokens. The attacker published a backdoored cline@2.3.0 to npm that silently installed OpenClaw — a separate AI agent with full system access and persistent daemon capabilities — on every machine that updated Cline during an eight-hour window. Cline's post-mortem has since migrated to OIDC provenance attestations for npm publishing and eliminated long-lived tokens, but the attack exposed a structural gap in how AI agents in CI/CD pipelines handle untrusted natural-language input.

Key Takeaways

• cline@2.3.0 (npm) contained a postinstall hook installing OpenClaw globally; package was live for ~8 hours with ~4,000 downloads before removal on Feb 17, 2026
• Attack chain: prompt injection via GitHub issue title → AI bot executes arbitrary npm install → GitHub Actions cache poisoning → credential theft (NPM_RELEASE_TOKEN, VSCE_PAT, OVSX_PAT) → malicious publish
• Cline remediation: eliminated Actions cache from credential workflows, adopted OIDC npm provenance attestations, added credential rotation verification, and commissioned third-party CI/CD security audits

Original source: Grith