What is Clinejection?

Clinejection is a five-step supply chain attack discovered in February 2026 where a prompt injection in a GitHub issue title led to OpenClaw being silently installed on approximately 4,000 developer machines via a compromised npm package.

How did the Clinejection attack work?

An attacker crafted a GitHub issue title containing malicious instructions. Cline's AI triage bot (claude-code-action, configured with allowed_non_write_users: *) read and executed the title, exfiltrating an npm publish token. The attacker then published cline@2.3.0 with a postinstall hook that ran npm install -g openclaw@latest.

How many developers were affected by Clinejection?

Approximately 4,000 developers downloaded the compromised package during the 8-hour window before it was detected and unpublished from the npm registry.

Who discovered the Clinejection vulnerability?

Security researcher Adnan Khan discovered the vulnerability chain in late December 2025 and reported it via a GitHub Security Advisory on January 1, 2026. Cline patched within 30 minutes of public disclosure on February 9, but the attacker had already exfiltrated credentials.

Why is Clinejection significant for AI agent security?

Before Clinejection, there were virtually no documented cases where prompt injection had led to real, large-scale damage. It proved that AI agent workflows processing untrusted input can be exploited to execute arbitrary code at scale — turning a theoretical risk into reality.

How can organizations protect against Clinejection-style attacks?

Never configure AI triage bots with unrestricted user access (allowed_non_write_users: *). Validate and sanitize all external input before passing to AI agents. Restrict npm publish tokens with IP allowlists and 2FA. Monitor for anomalous package publishes.

What is the connection between Clinejection and OpenClaw?

OpenClaw was the payload — the compromised npm package contained a postinstall script that silently installed OpenClaw globally. OpenClaw itself wasn't the vulnerability; it was used as the attack's installation target, giving attackers a full-system AI agent on victim machines.

← Back to dashboard

clawsmith.com/signal/clinejection-prompt-injection-4000-developer-machines

⚠ IssueWide OpenAttackLive

Clinejection: AI Prompt Injection via GitHub Issue Title Installs OpenClaw on 4,000 Developer Machines

A single GitHub issue title triggered a prompt injection attack chain: an AI triage bot (claude-code-action) read the malicious title, executed it, exfiltrated an npm token, and published a compromised Cline package with a postinstall hook that globally installed OpenClaw. 4,000 developers downloaded it in 8 hours before detection. First documented case of prompt injection causing real large-scale compromise.

Product Idea from this Signal

A pre-processing proxy that sanitizes external inputs before AI triage bots can execute them as instructions

827 ▲

AI-powered CI/CD workflows (GitHub Actions, GitLab CI) now use LLM agents to triage issues, review PRs, and run automated tasks. But external inputs like issue titles, PR bodies, and comments flow directly into these agents without validation. The Clinejection attack proved this is not theoretical: a single crafted GitHub issue title compromised 4,000 developer machines by hijacking an AI triage bot into exfiltrating npm credentials. This tool sits between external input sources and AI agents, stripping prompt injection patterns, validating input schemas, and enforcing action-scope limits before any LLM processes the content.

CLIOPEN-SOURCESECURITYCI-CDDEVTOOL

CompetitiveView Opportunity →

Product Idea from this Signal

A runtime behavioral sandbox that detects guidance injection attacks in OpenClaw skills by observing what agents actually do instead of scanning what skills say

17.6k ▲

Existing OpenClaw skill scanners use static analysis and LLM-based content scanning to flag malicious skills before installation. The Trojan's Whisper paper (March 2026) proved that 94% of guidance injection attacks evade both approaches because the malicious payload is disguised as routine operational guidance, not explicit instructions. Meanwhile 12% of ClawHub's skill registry has been compromised at some point in 2026. The gap is clear. Instead of scanning skill text, this product spins up an isolated OpenClaw instance, installs the skill, runs a battery of natural user prompts, and observes what the agent actually does. Credential access, file writes outside sandbox, network exfiltration, privilege escalation attempts all get flagged as behavioral anomalies regardless of how the skill's guidance file describes them.

CLIOPEN-SOURCESECURITYDEVTOOLRUNTIME-ANALYSIS

CompetitiveView Opportunity →