What Happened
Security researcher Adnan Khan found a vulnerability chain in Cline, the popular AI coding assistant with over 5 million users, that turned its own AI-powered issue triage bot into an attack vector.
Cline's maintainers had deployed a GitHub Actions workflow using Anthropic's claude-code-action to automatically triage new issues. The problem: it interpolated GitHub issue titles directly into Claude's prompt without any sanitization. An attacker could craft a malicious issue title that instructed the AI to run arbitrary commands.
The attack, dubbed "Clinejection," worked in three stages:
Stage 1 - Prompt injection. A crafted issue title told Claude to install a package from a malicious Git commit. That package had a preinstall script that exfiltrated the ANTHROPIC_API_KEY to an attacker-controlled server.
Stage 2 - Cache poisoning. The triage workflow shared GitHub Actions cache with Cline's release workflow. Using a tool called Cacheract, the attacker flooded the cache with 10+ GB of junk data, forced eviction of legitimate entries, and injected poisoned node_modules that would execute on the next release build.
Stage 3 - Credential theft. When the nightly release workflow ran at 2 AM UTC, it restored the poisoned cache and gave the attacker access to npm, VS Code Marketplace, and OpenVSX publishing tokens.
The timeline: Khan submitted a GitHub Security Advisory (GHSA-9ppg-jx86-fqw7) on January 1, 2026. He publicly disclosed on February 9 and Cline patched within 30 minutes. But on February 17, an unknown attacker published an unauthorized [email protected] to npm that was live for roughly 8 hours. It added a postinstall script installing OpenClaw globally. Cline has since migrated to OIDC provenance for npm publishing.
Why It Matters
This is the first major real-world supply chain attack that used prompt injection against an AI coding agent as the entry point. That makes it a reference case for anyone running AI agents in CI/CD pipelines.
The configuration mistakes were stacked: the workflow gave Claude access to Bash, file operations, and web tools. Any GitHub user could trigger it. The triage bot and release pipeline shared cache. And the same credentials worked for both nightly and production releases.
If you use any AI coding tool that integrates with your CI/CD, you should be asking: what can this agent access? What happens if someone feeds it a malicious prompt through a pull request title, issue body, or commit message? These are untrusted inputs flowing directly into an agent with real permissions.
The actual damage was limited - a single rogue npm package, no confirmed malicious VS Code extension push. But the potential was a backdoored extension auto-updating on 5 million developer machines with access to credentials, SSH keys, and source code.
Our Take
This attack worked because Cline gave an AI agent too much power in a context where it processed untrusted user input. That's a pattern we see constantly right now. Teams are rushing to add AI automation to their workflows without treating the AI agent as an attack surface.
The fix isn't to stop using AI in CI/CD. It's to apply the same principle you'd apply to any automation: least privilege. Don't give a triage bot Bash access. Don't share cache between low-trust and high-trust workflows. Don't reuse publishing credentials across contexts.
For users of AI coding tools like Cline, Cursor, Continue, or Aider, this is a reminder that these tools operate with significant system access. If you had [email protected] installed, uninstall it, remove OpenClaw (npm uninstall -g openclaw), reinstall cline@latest, and rotate any credentials that were accessible on that machine.
The broader lesson: prompt injection isn't just an annoyance that makes chatbots say weird things. When an AI agent has tool access, prompt injection becomes remote code execution.