Clinejection: When Your AI Coding Tool Became the Weapon
In February 2026, the Cline open-source project was compromised through a multi-stage attack called Clinejection, which exploited indirect prompt injection and cache poisoning to steal credentials. The attacker used a malicious GitHub issue title to manipulate an AI triage bot into leaking a GitHub Actions token, enabling further exploitation. This ultimately led to the unauthorized publication of a rogue AI agent, OpenClaw, on npm, affecting approximately 4,000 downloads before removal.
- ▪An attacker used indirect prompt injection via a GitHub issue title to manipulate Cline's AI triage bot into leaking a sensitive GitHub Actions token.
- ▪The attack chain included cache poisoning in GitHub Actions, which allowed the attacker to exfiltrate an npm publish token during the workflow execution.
- ▪Approximately 4,000 downloads of the malicious OpenClaw package occurred before it was removed from npm.
- ▪The vulnerability exploited a long-lived, broadly-scoped npm automation token stored in GitHub Actions without workflow or branch restrictions.
- ▪Clinejection highlights the risks of combining AI automation with insufficient input validation and overly permissive secrets management in CI/CD pipelines.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3821075) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Toni Antunovic Posted on May 16 • Originally published at lucidshark.com Clinejection: When Your AI Coding Tool Became the Weapon #promptinjection #supplychainsecurity #devsecops #githubactions This article was originally published on LucidShark Blog. On February 17, 2026, a developer opened a GitHub issue on the Cline repository. The issue title looked routine. It was not. Embedded in that title was a prompt injection payload targeting Cline's own AI-powered issue triage bot.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
