A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A detailed breakdown of 'Clinejection', a five-step supply chain attack that compromised ~4,000 developer machines in February 2026. An attacker injected a malicious instruction into a GitHub issue title, which an AI triage bot (using claude-code-action) executed as a legitimate command. This triggered cache poisoning via Cacheract, which evicted legitimate GitHub Actions cache entries and replaced them with compromised ones. When Cline's nightly release workflow ran, it restored the poisoned node_modules, exposing npm and marketplace tokens. The attacker used the stolen npm token to publish cline@2.3.0 with a postinstall hook that silently installed OpenClaw—a separate AI agent with shell access and persistent daemon capabilities—on every developer's machine. A botched credential rotation left the stolen token active long enough for the attack to succeed despite prior disclosure. The post analyzes why existing controls (npm audit, code review, provenance attestations) failed, details Cline's remediation steps including OIDC provenance adoption, and frames the incident as a broader architectural problem with AI agents in CI/CD pipelines processing untrusted input with privileged access.

A GitHub Issue Title Compromised 4,000 Developer Machines