How to steal npm publish tokens by opening GitHub issues

A detailed breakdown of how the Cline CLI npm package was compromised in February 2026. An attacker exploited a chain of vulnerabilities: first, a prompt injection via GitHub issue titles into an AI-powered triage bot (using claude-code-action) that had Bash/Write tool access on the CI runner. Since that runner lacked publish secrets, the attacker used GitHub Actions cache poisoning — flooding the shared cache to evict the legitimate node_modules entry, then writing a poisoned replacement with the same predictable cache key. When the nightly release workflow ran, it restored the poisoned node_modules, which exfiltrated the NPM_RELEASE_TOKEN. The stolen token was used 8 days later to publish cline@2.3.0 with a malicious postinstall hook. Mitigations include disabling npm lifecycle scripts by default, using npm ci, and running npm audit signatures in CI.