🟢 READ | ⏱ 8 min | 📡 9/10 | 🎯 Security Engineers, DevOps Professionals, Developers

TL;DR

A prompt injection attack on Cline's GitHub issue triage AI bot triggered a five-step supply chain attack affecting 4,000 developers. An attacker embedded code execution instructions in an issue title, leading to cache poisoning, credential theft, and the publication of a malicious version of Cline that silently installed OpenClaw on developer machines.

Signal

• Clinejection exploited a five-step attack chain: prompt injection → arbitrary code execution → cache poisoning → credential theft → malicious publish, with the AI bot interpreting untrusted GitHub issue text as executable instructions
• Cline's AI triage workflow had allowed_non_write_users: "*" and directly interpolated issue titles into prompts without sanitization, enabling any GitHub user to trigger code execution
• The stolen npm token published cline@2.3.0 with a postinstall hook silently installing OpenClaw globally on approximately 4,000 machines; the malicious package remained live for 14 minutes before automated monitoring flagged it

What They're NOT Telling You

The vulnerability was reported to Cline in December 2025 but went unpatched until February after public disclosure. Additionally, Cline's credential rotation was incomplete, leaving the compromised npm token valid for six days after the initial rotation—enough time for the attacker to publish the malicious version. This case also exemplifies the recursive agent problem: one AI tool (Cline) compromised to silently install another (OpenClaw) without developer consent or evaluation.

Trust Check

Factuality ✅ | Author Authority ✅ | Actionability ✅