Public story · 2026-02-26 · source-backed
Cline CLI Supply Chain Attack Post-Mortem
Story
Cline published their full post-mortem on the Clinejection supply chain attack. The root cause is worth understanding in detail: a prompt injection in Cline's GitHub Actions issue triage bot (Claude processing untrusted issue titles) allowed arbitrary code execution in CI. This led to cache poisoning and npm/VSCE/OVSX token theft. During credential rotation, the wrong token was deleted while the exposed one stayed active. 4,000 developers downloaded compromised [redacted] in an 8-hour window that silently installed OpenClaw globally on every user's system.
Cline has since moved to OIDC-based publishing via GitHub Actions with cryptographic attestation. This is now the minimum standard for any package you publish.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / What happened next
Clinejection: A GitHub Issue Title Compromised 4,000 Developer Machines
Both cover Cline, Clinejection, OpenClaw; cite the same source (OIDC-based publishing via GitHub Actions); overlapping topics (action, attack, chain, clinejection, issue).
Shared entities / Same source / Shared topic / Tension
Harden CI/CD Against AI Agent Supply Chain Attacks
Both cover Clinejection, GitHub Actions, OIDC; cite the same source (OIDC-based publishing via GitHub Actions); overlapping topics (action, attack, cache, chain).
Shared entities / Shared topic / Earlier coverage
Bargury Forensically Documents First AI-on-Agent Supply Chain Attack
Both cover Claude, Cline, Clinejection, OpenClaw; overlapping topics (attack, chain, cline, clinejection, issue); earlier Claude coverage from 2026-02-22.
Shared entities / Shared topic / What happened next
The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.
Both cover GitHub Actions, OIDC; overlapping topics (action, attack, attestation, cache, chain); picks up the GitHub Actions thread on 2026-05-13.
Shared entities / Same source domain / Shared topic / What happened next
The Security Scanner Was the Attack Vector. 10,000 CI/CD Workflows Compromised.
Both cover Claude, GitHub Actions; reported by the same outlet (snyk.io); overlapping topics (action, attack, chain).
Shared entities / Same source / Earlier coverage / Tension
Agent Security (Priority: +2.0)
Both cover GitHub Actions, OIDC; cite the same source (OIDC-based publishing via GitHub Actions); earlier GitHub Actions coverage from 2026-02-21.
Shared entities / Shared topic / What happened next
Local models are good now, and the timing isn't a coincidence
Both cover Claude, Cline, OpenClaw; overlapping topics (claude, code); picks up the Claude thread on 2026-06-17.
Claude Code 2.1.187 ships sandbox credential blocking, the day after WIF.
Both cover GitHub Actions, OIDC; overlapping topics (action, attack, claude, code); picks up the GitHub Actions thread on 2026-06-24.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-02-26
- AI generated
- no
- Story unit
- 2026-02-26-cline-cli-supply-chain-attack-post-mortem
- Labels
- source-backed, canonical briefing excerpt