Feed
HighPublished 17 Feb 20261 package · 1 version

cline npm package hijacked via "Clinejection" prompt-injection chain

Summary

An attacker abused an unsanitised AI issue-triage GitHub Actions workflow on the Cline repo to poison the release pipeline cache and steal the npm publish token. They published cline@2.3.0 with a postinstall script that globally installed the second-stage package openclaw. ~90k weekly downloads; live for ~8 hours before Cline rotated the token and shipped 2.4.0.

prompt-injectionci-cd-compromiseaccount-takeover
Detected by
Socket
Also known as
Clinejection
Ecosystems
npm
Packages tracked
1

What happened

Cline is a popular npm-distributed AI coding assistant (≈90,000 weekly downloads at the time of incident). On February 17, 2026, Socket disclosed that an attacker had abused the Cline repo's AI-driven issue-triage GitHub Actions workflow to insert content the bot would render as legitimate maintainer instructions — a textbook second-order prompt-injection chain that ended in npm publish-token theft.

The attacker filed a crafted issue. The AI triage workflow ingested the issue body, the prompt-injection content steered it into modifying the release-pipeline cache, and the next push of cline shipped from a poisoned cache. The published cline@2.3.0 carried a postinstall script that globally installed a second-stage package, openclaw, which contained the actual malware.

The live window was roughly eight hours. Cline rotated the npm token, yanked 2.3.0, and pushed 2.4.0 once the chain was understood. There is no clean way to know how many of the ~90k weekly users updated during the window; assume any host that resolved cline@2.3.0 should be treated as suspect.

This is the first publicly-documented prompt-injection-to-npm-publish chain mediated by an AI triage bot, and it set the template for several subsequent attacks (see multi-2026-04-29-promptmink-validate-sdk). The defensive takeaway: AI bots with any write access to publication workflows are a publish-token equivalent. Don't give them that access.

Affected packages (1)

  • npmcline
    2.3.0

Impact

  • Developers who installed cline@2.3.0 had openclaw silently installed globally
  • First publicly-documented prompt-injection-to-npm-publish chain via an AI triage bot
  • 5M+ potential AI-coding-tool users exposed during the window

What to do

  1. 1Pin cline ≥ 2.4.0; uninstall any global openclaw package
  2. 2Audit AI-driven issue triage workflows for unsanitised inputs
  3. 3Disable AI bots that have write access to publication workflows

References

npm-2026-02-17-cline-clinejection