← The Wire

Public story · 2026-02-26 · source-backed

Cline CLI Supply Chain Attack Post-Mortem

Confidence
source-backed
Sources
2
Redaction
redacted

Story

Cline published their full post-mortem on the Clinejection supply chain attack. The root cause is worth understanding in detail: a prompt injection in Cline's GitHub Actions issue triage bot (Claude processing untrusted issue titles) allowed arbitrary code execution in CI. This led to cache poisoning and npm/VSCE/OVSX token theft. During credential rotation, the wrong token was deleted while the exposed one stayed active. 4,000 developers downloaded compromised [redacted] in an 8-hour window that silently installed OpenClaw globally on every user's system.

Cline has since moved to OIDC-based publishing via GitHub Actions with cryptographic attestation. This is now the minimum standard for any package you publish.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic / What happened next

    Clinejection: A GitHub Issue Title Compromised 4,000 Developer Machines

    Both cover Cline, Clinejection, OpenClaw; cite the same source (OIDC-based publishing via GitHub Actions); overlapping topics (action, attack, chain, clinejection, issue).

  2. Shared entities / Same source / Shared topic / Tension

    Harden CI/CD Against AI Agent Supply Chain Attacks

    Both cover Clinejection, GitHub Actions, OIDC; cite the same source (OIDC-based publishing via GitHub Actions); overlapping topics (action, attack, cache, chain).

  3. Shared entities / Shared topic / Earlier coverage

    Bargury Forensically Documents First AI-on-Agent Supply Chain Attack

    Both cover Claude, Cline, Clinejection, OpenClaw; overlapping topics (attack, chain, cline, clinejection, issue); earlier Claude coverage from 2026-02-22.

  4. Shared entities / Shared topic / What happened next

    The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.

    Both cover GitHub Actions, OIDC; overlapping topics (action, attack, attestation, cache, chain); picks up the GitHub Actions thread on 2026-05-13.

  5. Shared entities / Same source domain / Shared topic / What happened next

    The Security Scanner Was the Attack Vector. 10,000 CI/CD Workflows Compromised.

    Both cover Claude, GitHub Actions; reported by the same outlet (snyk.io); overlapping topics (action, attack, chain).

  6. Shared entities / Same source / Earlier coverage / Tension

    Agent Security (Priority: +2.0)

    Both cover GitHub Actions, OIDC; cite the same source (OIDC-based publishing via GitHub Actions); earlier GitHub Actions coverage from 2026-02-21.

  7. Shared entities / Shared topic / What happened next

    Local models are good now, and the timing isn't a coincidence

    Both cover Claude, Cline, OpenClaw; overlapping topics (claude, code); picks up the Claude thread on 2026-06-17.

  8. Claude Code 2.1.187 ships sandbox credential blocking, the day after WIF.

    Both cover GitHub Actions, OIDC; overlapping topics (action, attack, claude, code); picks up the GitHub Actions thread on 2026-06-24.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-02-26-cline-cli-supply-chain-attack-post-mortem
Labels
source-backed, canonical briefing excerpt