Full Report
Cline is CLI npm package that is a simple AI assistant. Recently, it experienced a supply chain compromise via a unique prompt-injection bug. The package used the GitHub Action claude-code-action to trigger actions when users create an issue. This executed some code in the repository's context, but not much else is said. The title and description were given directly to Claude for usage. However, the title was able to hijack Claude's actions using this input. The AI bot was instructed to install a malicious npm package. Claude did what it was told and installed a typo-squatter package glthub-actions/cline. The fork oft he regular package contained a package.json with a preinstall script that executed a remote shell. The attacker then used the bash script Cacheact to poison the cache. In particular, this tool can be used to persist information in the build pipeline. So, the intended build was not run during a daily release Action; it was the poisoned one. Using these privileges, they told the NPM_RELEASE_TOKEN and several other tokens. The NPM token was used to publish the malicious NPM module. The client version installed a script that installed OpenClaw via a postinstall hook. The version was only live for 14 minutes before StepSecurity identified the issue and removed it within 8 hours. The story gets crazier, though: the maintainers attempted to rotate the stolen credentials but deleted the WRONG token. So, the token remained active long enough for a new version to be deployed 6 days later. Apparently, this had been reported to the project by Adnan Khan in December of 2025, but it was never acknowledged. A threat actor found the PoC on his test repository and exploited the bug themselves. StepSecurity catches this so fast is fascinating. First, the published differs from normal patterns. In the usual case, the project used OIDC trusted publishing instead of human publishing. Next, legitimate releases use attestations to verify the package's legitimacy, which also wasn't present. Finally, the postinstall script was malicious and made no sense in this context. StepSecurity included a few steps for enterprise customers to protect themselves. First, use a cooldown period to ensure a newly updated package isn't being used. They also have a GitHub actions runner hardening process to make this more difficult to perform as well. Cline took the exploit seriously and made some changes. First, they disabled caching where credentials are being used. Next, they started using provenance attestations for npm publishing. Finally, they improved their security process with SLAs, verification requirements on credential rotation, and got third-party audits of the infra. Going forward, I expect to see more of these completely automated flows getting compromised like this.
Analysis Summary
# Incident Report: "Clinejection" Supply Chain Compromise
## Executive Summary
The Cline (formerly Claude Dev) npm package suffered a supply chain compromise where an attacker used prompt injection via a GitHub Issue title to hijack an AI triage bot. This allowed the attacker to steal NPM release tokens and publish a malicious version of the package (`[email protected]`) that silently installed "OpenClaw," a secondary AI agent, on approximately 4,000 developer machines. The incident was exacerbated by a botched credential rotation by the maintainers following an initial vulnerability report.
## Incident Details
- **Discovery Date:** February 17, 2026 (Detection of malicious npm publish)
- **Incident Date:** January 28, 2026 (Initial injection) – February 17, 2026 (Final impact)
- **Affected Organization:** Cline (GitHub/NPM project)
- **Sector:** Software Development / AI Tooling
- **Geography:** Global / Distributed
## Timeline of Events
### Initial Access
- **Date/Time:** January 28, 2026
- **Vector:** Prompt Injection via GitHub Issue Title
- **Details:** An attacker created Issue #8904. The title contained a natural language instruction that hijacked the `claude-code-action` AI bot. Because the bot had `allowed_non_write_users: "*"` permissions, it followed the injected instruction to install a package from a typosquatted repository: `glthub-actions/cline`.
### Lateral Movement
- **Execution:** The AI bot executed `npm install` on the malicious fork. A `preinstall` script in the fork's `package.json` executed a remote shell script.
- **Persistence/Cache Poisoning:** The attacker used a tool called "Cacheract" to flood the GitHub Actions cache with 10GB of data, evicting legitimate entries and replacing them with poisoned entries that would be pulled by the project's nightly release workflow.
### Data Exfiltration/Impact
- **Credential Theft:** On February 17, the nightly release workflow restored the poisoned cache. The workflow's environment variables were compromised, leading to the theft of `NPM_RELEASE_TOKEN`, `VSCE_PAT`, and `OVSX_PAT`.
- **Malicious Publish:** The attacker used the stolen token to publish `[email protected]` which included a `postinstall` script: `npm install -g openclaw@latest`.
### Detection & Response
- **Discovery:** StepSecurity identified the malicious release 14 minutes after it was published due to anomalies (human publishing vs. OIDC; missing attestations).
- **Initial Fix:** The package was live for 8 hours before being pulled.
- **Cleanup:** Maintainers had previously attempted to rotate tokens on February 10 but accidentally deleted the wrong token, leaving the compromised one active for the final attack.
## Attack Methodology
- **Initial Access:** Prompt Injection (natural language instruction in GitHub Issue title).
- **Persistence:** GitHub Actions Cache Poisoning (Cacheract) and typosquatted GitHub repository.
- **Privilege Escalation:** Inherited permissions of the `claude-code-action` and subsequently the release workflow.
- **Defense Evasion:** Typosquatting (`glthub-actions`), mimicking legitimate performance reports, and LRU cache eviction.
- **Credential Access:** Exfiltration of GitHub Secrets (NPM/VSCE/OVSX tokens) from the CI/CD pipeline environment.
- **Exfiltration:** Remote bash script sending tokens to an attacker-controlled endpoint.
- **Impact:** Supply chain compromise affecting 4,000 downstream users.
## Impact Assessment
- **Financial:** High (Potential litigation/remediation costs for 4,000 compromised machines).
- **Data Breach:** Exfiltration of internal CI/CD secrets and potential system access to 4,000 developer environments via OpenClaw.
- **Operational:** Disruption of release pipelines and 14-day window of vulnerability.
- **Reputational:** Significant damage due to failure to respond to researcher Adnan Khan's initial December 2025 disclosure.
## Indicators of Compromise
- **File indicators:** `package.json` containing `"postinstall": "npm install -g openclaw@latest"`
- **Behavioral indicators:** `npm publish` performed by a human user instead of OIDC-based trusted publishing; missing GitHub provenance attestations; 10GB+ cache spikes.
- **Network indicators:** Connections to `glthub-actions[.]com` (defanged) and remote shell script downloads.
## Response Actions
- **Containment:** Removal of the malicious `[email protected]` package from the npm registry.
- **Eradication:** Removal of AI-powered triage workflows; actual rotation of all compromised tokens (NPM, VSCE, OVSX).
- **Recovery:** Implementation of OIDC trusted publishing and provenance attestations.
## Lessons Learned
- **AI Triage Risks:** Untrusted user input (GitHub Issue titles) should never be passed directly to an AI agent with execution capabilities.
- **Response Failure:** Delay in acknowledging security researcher reports (SLA failure) led to a public PoC being weaponized by a threat actor.
- **Human Error:** Credential rotation is a high-stakes task; verifying *which* token is being deleted is critical.
## Recommendations
- **Pipeline Hardening:** Use StepSecurity or similar tools to restrict network access for GitHub Actions runners.
- **Publishing Safeguards:** Use "Cooldown Periods" for new package versions and mandatory OIDC/Provenance for all registry publishes.
- **Agent Governance:** Use tools like `grith` or system-level proxies to audit and intercept shell commands issued by AI agents.
- **Workflow Security:** Disable caching in sensitive pipelines where secret exfiltration is a risk.