How “Clinejection” Turned an AI Bot into a Supply Chain Attack

On February 9, 2026, security researcher Adnan Khan publicly disclosed a vulnerability chain (dubbed "Clinejection") in the Cline repository that turned the popular AI coding tool's own issue triage bot into a supply chain attack vector. Eight days later, an unknown actor exploited the same flaw to publish an unauthorized version of the Cline CLI to npm , installing the OpenClaw AI agent on every developer machine that updated during an eight-hour window. The attack chain is notable not for any single novel technique, but for how it composes well-understood vulnerabilities (indirect prompt injection, GitHub Actions cache poisoning, credential model weaknesses) into a single exploit that requires nothing more than opening a GitHub issue. For Cline's 5+ million users, the actual impact was limited. The unauthorized cline@2.3.0 was live for roughly eight hours, and its payload (installing OpenClaw globally) was not overtly destructive. But the potential impact, pushing arbitrary code to e

How “Clinejection” Turned an AI Bot into a Supply Chain Attack

Related Articles

Adversarial Unlearning of Backdoors via Implicit Hypergradient

10 Things Every Software Developer Should Know (But Most Ignore)

The Deceptively Tricky Art of Designing a Steering Wheel

7 Wireshark Filters That Instantly Make You Look Like a Network Expert

Week 6 — No New Problems. Just Me and Everything I Already Learned.

Related Articles

How-To
Adversarial Unlearning of Backdoors via Implicit Hypergradient
Dev.to • 2d ago

How-To
10 Things Every Software Developer Should Know (But Most Ignore)
Medium Programming • 2d ago

How-To
The Deceptively Tricky Art of Designing a Steering Wheel
Wired • 2d ago

How-To
7 Wireshark Filters That Instantly Make You Look Like a Network Expert
Medium Programming • 2d ago

How-To
Week 6 — No New Problems. Just Me and Everything I Already Learned.
Medium Programming • 2d ago