Feb 20
/
Latest News
AI Hijacks AI: "Clinejection" Attack Compromises Popular Coding Assistant
A sophisticated supply chain attack has rocked the developer community this week as the popular AI-powered coding assistant, Cline CLI, was hijacked to distribute unauthorized software.
On February 17, 2026, an unknown threat actor exploited a novel vulnerability dubbed "Clinejection" to compromise the project’s distribution pipeline, resulting in the stealthy installation of the OpenClaw autonomous AI agent on thousands of developer machines during a critical eight-hour window.
The breach began early Tuesday morning when an unauthorized party utilized a compromised npm publish token to release Cline version 2.3.0. While the core functionality of the tool remained intact, maintainers discovered a modified configuration file containing a "postinstall" script designed to automatically download and install OpenClaw. According to data from StepSecurity, the tainted package was downloaded approximately 4,000 times before the maintainers could intervene. While security researchers, including Henrik Plate from Endor Labs, noted that OpenClaw itself is not inherently malicious and the installation did not initiate the active gateway daemon, the unauthorized nature of the deployment has raised significant alarms regarding the security of AI-integrated development tools.
The root cause of the compromise has been traced back to a high-concept exploit chain identified by security researcher Adnan Khan. The vulnerability, "Clinejection," stems from a misconfiguration in the project’s GitHub repository introduced in late 2025. To reduce maintainer burden, the project used Claude AI to automatically triage incoming GitHub issues. However, an attacker discovered they could use a prompt injection hidden within an issue title to trick the AI into executing arbitrary commands. By filling GitHub's cache with junk data to trigger a "Least Recently Used" eviction and then poisoning the cache entries, the attacker successfully pivoted from a low-privilege triage workflow to a highly privileged nightly release workflow, effectively stealing the production secrets needed to publish to the npm registry.
In response to the incident, the Cline team has moved swiftly to secure their infrastructure. They released version 2.4.0 to mitigate the unauthorized changes, deprecated the compromised version 2.3.0, and revoked the stolen tokens. Perhaps most importantly, the project has updated its publishing mechanism to support OpenID Connect (OIDC) via GitHub Actions, a move that eliminates the need for long-lived, harvestable secrets. Microsoft Threat Intelligence confirmed they observed the uptick in OpenClaw installations but concurred that the overall immediate impact remains low. Nevertheless, the event serves as a stark reminder that as we delegate more autonomy to AI agents in our workflows, the surface area for creative, prompt-based exploitation continues to expand.
On February 17, 2026, an unknown threat actor exploited a novel vulnerability dubbed "Clinejection" to compromise the project’s distribution pipeline, resulting in the stealthy installation of the OpenClaw autonomous AI agent on thousands of developer machines during a critical eight-hour window.
The breach began early Tuesday morning when an unauthorized party utilized a compromised npm publish token to release Cline version 2.3.0. While the core functionality of the tool remained intact, maintainers discovered a modified configuration file containing a "postinstall" script designed to automatically download and install OpenClaw. According to data from StepSecurity, the tainted package was downloaded approximately 4,000 times before the maintainers could intervene. While security researchers, including Henrik Plate from Endor Labs, noted that OpenClaw itself is not inherently malicious and the installation did not initiate the active gateway daemon, the unauthorized nature of the deployment has raised significant alarms regarding the security of AI-integrated development tools.
The root cause of the compromise has been traced back to a high-concept exploit chain identified by security researcher Adnan Khan. The vulnerability, "Clinejection," stems from a misconfiguration in the project’s GitHub repository introduced in late 2025. To reduce maintainer burden, the project used Claude AI to automatically triage incoming GitHub issues. However, an attacker discovered they could use a prompt injection hidden within an issue title to trick the AI into executing arbitrary commands. By filling GitHub's cache with junk data to trigger a "Least Recently Used" eviction and then poisoning the cache entries, the attacker successfully pivoted from a low-privilege triage workflow to a highly privileged nightly release workflow, effectively stealing the production secrets needed to publish to the npm registry.
In response to the incident, the Cline team has moved swiftly to secure their infrastructure. They released version 2.4.0 to mitigate the unauthorized changes, deprecated the compromised version 2.3.0, and revoked the stolen tokens. Perhaps most importantly, the project has updated its publishing mechanism to support OpenID Connect (OIDC) via GitHub Actions, a move that eliminates the need for long-lived, harvestable secrets. Microsoft Threat Intelligence confirmed they observed the uptick in OpenClaw installations but concurred that the overall immediate impact remains low. Nevertheless, the event serves as a stark reminder that as we delegate more autonomy to AI agents in our workflows, the surface area for creative, prompt-based exploitation continues to expand.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.