A prompt injection in a GitHub issue title gave attackers code execution inside Cline's CI/CD pipeline, leading to cache poisoning, stolen npm credentials, and an unauthorized package publish affecting the popular AI coding tool's 5 million users. Here's the full technical breakdown and what developers should do now.

Snyk's blog is a source of information and advice for developers looking to ensure the security of their software applications. From vulnerability management and secure coding practices to compliance standards and threat intelligence, it covers a wide range of topics relevant to software security. Through practical tips, case studies, and expert commentary, the blog empowers developers to identify and address security vulnerabilities in their code, helping them build and maintain secure software applications in today's threat landscape.

Snyk

A detailed technical breakdown of the 'Clinejection' supply chain attack against the Cline AI coding tool. An attacker exploited an AI-powered GitHub issue triage bot by crafting a malicious issue title containing a prompt injection payload. This tricked Claude into running npm install from an attacker-controlled commit, executing a preinstall script that deployed the Cacheract tool to poison the shared GitHub Actions cache. The poisoned cache was later consumed by the nightly release workflow, which had access to production npm, VS Code Marketplace, and OpenVSX tokens. Due to incomplete credential rotation after the original disclosure, an unknown actor used a still-active npm token to publish an unauthorized cline@2.3.0 package that installed the OpenClaw AI agent on developer machines. The package was live for ~8 hours before being deprecated. The article covers the full attack chain, timeline, actual vs. potential impact, and concrete defensive recommendations including minimizing AI agent tool permissions, avoiding cache use in release workflows, isolating credentials, sanitizing untrusted input, and migrating to OIDC-based short-lived tokens.

How “Clinejection” Turned an AI Bot into a Supply Chain Attack

Step 2: Pivoting via GitHub Actions cache poisoning

Step 3: Nightly credentials \= production credentials

From disclosure to exploitation: What actually happened

AI agents are the new CI/CD attack surface

Low severity — high potential blast radius

Defending your CI/CD pipelines against AI-native attacks

The AI Security Crisis in Your Python Environment