Key Takeaways
- The Cline CLI supply chain attack (February 2026) was the first documented instance of prompt injection directly enabling supply chain compromise across 4,000+ npm package installations
- Attackers targeted npm CLI in CI/CD build environments (not VS Code extension), suggesting deliberate focus on enterprise build systems with cached credentials and privileged execution
- The attack chain: indirect prompt injection → npm token exfiltration → malicious package publication → OpenClaw autonomous agent installation → CI/CD credential access
- Cline maintainers did not respond to vulnerability disclosure for 30+ days, then deleted the wrong token during credential rotation—revealing security response failures in open-source AI projects with unprecedented system access
- The same fundamental vulnerability pattern (AI agents processing untrusted inputs with privileged access) exists in both open-source developer tools and classified military AI systems, but security frameworks remain unverifiable
The Attack Chain: From Vulnerability to Enterprise Compromise
In December 2025, researcher Adnan Khan discovered that Cline's AI issue triage bot was vulnerable to indirect prompt injection through GitHub issues. By carefully crafting issue titles and descriptions, an attacker could influence the AI bot's behavior without direct access to the system.
Khan responsibly disclosed the vulnerability through GitHub Security Advisory. Standard responsible disclosure provides a 30-day remediation window before public disclosure.
On February 9, 2026—after 39 days without response from Cline maintainers—Khan published the "Clinejection" research publicly. Within 30 minutes, Cline fixed the vulnerable GitHub Actions workflow. But during credential rotation, the team deleted the wrong npm token.
On February 17, an unknown attacker used the still-active compromised npm token to publish cline@2.3.0 containing a postinstall script that installed OpenClaw—a persistent daemon with access to WhatsApp, Telegram, Slack, Discord, iMessage, and Teams. The malicious version was live for approximately 8 hours before cline@2.4.0 (clean) was published and 2.3.0 was deprecated.
Approximately 4,000 installations occurred during those 8 hours. The attack was over before most developers were aware it happened.
Why CI/CD? The Attacker Understood Supply Chain Attack Economics
The attacker specifically targeted npm CLI for use in CI/CD build environments, not the VS Code extension for individual developers. This is a critical distinction.
CI/CD environments have permanent token storage, automated execution, and access to production secrets. A developer running Cline on their laptop loses personal data. A CI/CD system running cline@2.3.0 provides access to:
- GitHub deploy keys and action runner tokens
- Docker registry credentials
- AWS, GCP, and Azure cloud credentials
- Database connection strings and API keys
- SSL certificates for production infrastructure
The attacker was hunting for enterprise infrastructure access, not individual developer machines. The targeting was sophisticated and deliberate.
The Broader Agentic AI Problem: System Access Without Security Maturity
Cline, Cursor, Copilot, and Devin have deeper system access than any previous developer tool category. They read arbitrary files, execute shell commands, modify code, and interact with CI/CD systems. They are not restricted to IDE plugin sandboxes—they operate at the operating system level.
This access is essential for agentic behavior. But the security infrastructure to protect tools with this level of privilege has not evolved to match.
Open-source AI projects hold unprecedented system privileges but lack proportional security response infrastructure. The asymmetry between access level and security maturity creates a systemic vulnerability in the developer ecosystem.
In parallel, OpenAI is deploying AI agents to classified Pentagon systems with cleared engineers forward-deployed. The same fundamental vulnerability pattern—AI agents processing untrusted inputs with privileged access—exists in both open-source developer tools and classified military systems. The difference is that one has had 30+ days to patch. The other may not have equivalent transparency.
What This Means for Practitioners
Immediate action: Audit all AI-powered CI/CD integrations for untrusted input processing. Check if cline@2.3.0 was installed in any build environments. Rotate npm tokens and migrate to OIDC provenance attestation.
AI coding tool evaluation: GitHub Copilot (backed by Microsoft's security team) and Cursor (with enterprise security certifications) have proportional security infrastructure. Open-source alternatives like Cline, while capable, lack the security response maturity required for enterprise CI/CD use.
Enterprise procurement: Teams purchasing AI development tools should now require security audits and publish vulnerabilities SLAs as part of procurement criteria. If a tool vendor cannot respond to critical security issues within 48-72 hours, the tool is not suitable for enterprise CI/CD.
Strategic implication: This is the first documented AI-agent-to-supply-chain attack. It will not be the last. The industry-wide security frameworks for agentic AI tools will emerge over 6-12 months, likely including npm registry-level provenance requirements. Organizations that don't audit their AI tooling now will face supply chain security failures in 2026.