software

GHSA-9PPG-JX86-FQW7: Clinejection: When AI Agents Go Rogue and Poison Your Supply Chain

Published: (February 19, 2026 at 12:10 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

CVE Reports

Clinejection: When AI Agents Go Rogue and Poison Your Supply Chain

Vulnerability ID: GHSA-9PPG-JX86-FQW7
CVSS Score: 9.9 (Critical)
Published: 2026-02-19

In a twist of irony, the popular VS Code extension cline was compromised not by a classic buffer overflow but by its own AI assistant. A Prompt Injection vulnerability in a GitHub Actions workflow allowed an attacker to force the repository’s AI agent to execute arbitrary Bash commands. The attacker then poisoned the GitHub Actions cache, pivoted to a high‑privileged release workflow, stole NPM publishing tokens, and pushed a malicious version (2.3.0) to the npm registry.

TL;DR

A GitHub Action using an AI agent (Claude) to triage issues was vulnerable to prompt injection via issue titles. The attacker executed shell commands, poisoned the build cache, stole deployment secrets during the next release, and published a compromised package version.

Technical Details

Attack Vector: AI Prompt Injection → CI/CD Cache Poisoning
CWE ID: CWE‑94 (Code Injection)
Impact: Supply‑chain compromise, credential theft
Exploit Status: Proof of Concept (publicly disclosed)
Affected Component: claude-issue-triage.yml

Exploit Flow

  1. Issue created with a malicious title containing a prompt injection payload.
  2. The AI‑driven workflow (claude-issue-triage.yml) processes the title and runs injected Bash commands.
  3. Attacker writes large artifacts to the shared GitHub Actions cache, poisoning it.
  4. During the next release workflow, the poisoned cache is used, allowing the attacker to read NPM_RELEASE_TOKEN, VSCE_PAT, and OVSX_PAT.
  5. Attacker publishes a malicious version cline@2.3.0 to the npm registry.

Affected Systems

  • npm registry
  • GitHub Actions (workflows and cache)
  • VS Code Extension Marketplace
  • Developer workstations installing cline

Affected version: cline = 2.3.0 (fixed in 2.3.1)

Exploit Details

  • Adnan Khan Blog: Detailed write‑up of the “Clinejection” technique and PoC –

Mitigation Strategies

  • Remove AI‑driven workflows that process untrusted input with privileged tools.
  • Implement strict cache scoping to prevent low‑privilege workflows from writing to high‑privilege cache keys.
  • Require manual approval for any workflow that accesses deployment secrets.

Remediation Steps

  1. Delete the claude-issue-triage.yml workflow file immediately.
  2. Revoke NPM_RELEASE_TOKEN, VSCE_PAT, and OVSX_PAT tokens.
  3. Unpublish cline@2.3.0 from npm.
  4. Audit GitHub Actions logs for large cache write events (~10 GB) coinciding with issue creation.

References

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

Apex B. OpenClaw, Local Embeddings.

Local Embeddings para Private Memory Search Por default, el memory search de OpenClaw envía texto a un embedding API externo típicamente Anthropic u OpenAI par...