A detailed breakdown of 'Clinejection', a five-step supply chain attack that compromised ~4,000 developer machines in February 2026. An attacker injected a malicious instruction into a GitHub issue title, which an AI triage bot (using claude-code-action) executed as a legitimate command. This triggered cache poisoning via Cacheract, which evicted legitimate GitHub Actions cache entries and replaced them with compromised ones. When Cline's nightly release workflow ran, it restored the poisoned node_modules, exposing npm and marketplace tokens. The attacker used the stolen npm token to publish cline@2.3.0 with a postinstall hook that silently installed OpenClaw—a separate AI agent with shell access and persistent daemon capabilities—on every developer's machine. A botched credential rotation left the stolen token active long enough for the attack to succeed despite prior disclosure. The post analyzes why existing controls (npm audit, code review, provenance attestations) failed, details Cline's remediation steps including OIDC provenance adoption, and frames the incident as a broader architectural problem with AI agents in CI/CD pipelines processing untrusted input with privileged access.