PERMISSION/PROTOCOL
Back to incident tracker

2026-02-17

CriticalPrimary

Clinejection: Cline CLI 2.3.0 npm Supply Chain Attack Silently Installed OpenClaw on ~4,000 Developer Machines via Prompt Injection and GitHub Actions Cache Poisoning

Researcher Adnan Khan discovered prompt injection + GitHub Actions cache poisoning in Cline that could steal npm publish tokens. An unknown actor exploited it to publish [email protected], silently installing OpenClaw on ~4,000 developer machines — the first documented AI-hijacks-AI supply chain attack.

ClineTool execution / MCPSupply chain: prompt injection + CI cache poisoning leading to malicious npm publish~4,000 developer machines / npm ecosystem

What happened

An unknown actor exploited prompt injection in Cline's GitHub Actions workflows to steal npm publish tokens via cache poisoning. The attacker then published [email protected] with a postinstall script that silently downloaded and installed OpenClaw on developer machines during `npm install cline`.

Why it matters

Approximately 4,000 developer machines had OpenClaw installed without consent or awareness. OpenClaw, a full AI agent runtime, runs with broad system access — the attacker had persistent code execution on affected machines.

Missing authorization check

npm postinstall scripts should not be able to install additional software without explicit user authorization. GitHub Actions workflows handling npm publish tokens must validate all inputs for injection before processing.

Would PP block it?

Once OpenClaw is installed via the postinstall script, PP's enforcement layer would gate any consequential agent actions (file mutations, credential access, network exfiltration) behind receipts, limiting what the unauthorized agent runtime could do.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-02-17

    Researcher Adnan Khan publishes findings: prompt injection + GitHub Actions cache poisoning vulnerability in Cline that could steal npm publish tokens.

  2. 2026-02-17

    Unknown actor exploits the vulnerability chain to publish [email protected] with malicious postinstall script. Approximately 4,000 developer machines silently receive OpenClaw installation.

  3. 2026-02-17

    Malicious [email protected] taken down from npm. First documented AI-hijacks-AI supply chain attack.

Technical breakdown

  • Prompt injection: crafted PR title/description content was processed by Cline's AI assistant in GitHub Actions, redirecting it to exfiltrate the npm publish token from the workflow environment.
  • Cache poisoning: the attacker poisoned the GitHub Actions build cache with a malicious artifact, which was restored in subsequent workflow runs.
  • The poisoned artifact contained a modified Cline build that, when published to npm, included a postinstall script.
  • postinstall script: on `npm install cline`, the script silently downloaded and installed OpenClaw without any user prompt or authorization.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
npm postinstall execution, agent runtime startup, consequential action gate
Still needs
npm postinstall sandbox; GitHub Actions prompt injection protection; publish token isolation
Receipt required for
Installing additional software via postinstall scripts, AI agent runtime startup on developer machines

PP's Deploy Gate would require authorization receipts before OpenClaw or any agent runtime could execute consequential actions on the infected machine. It would not prevent the silent installation itself — that requires npm-level controls.

Start small

Put the relevant gate at this action boundary.

This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Install on one repo