How a GitHub Issue Title Compromised 4,000 Developer Machines
In February 2026, a single GitHub issue title triggered a cascading security breach that compromised 4,000 developer machines. The attack, dubbed Clinejection, exploited a chain of vulnerabilities in AI-powered workflows, credential management, and package ecosystems. This article breaks down the attack vector, its implications, and lessons for securing modern development pipelines.
The Attack Chain: From Issue Title to Malware
The breach began with a GitHub issue title crafted to mimic a performance report. An AI triage bot, configured to process issue titles without sanitization, interpreted the title as an instruction to install a malicious package. Here’s how the attack unfolded:
1. Prompt Injection via GitHub Issue
- The Cline project used Anthropic’s
claude-code-actionfor issue triage. - Attackers injected a command into an issue title, which the AI bot executed as code.
- The bot installed a typosquatted GitHub repository (
glthub-actions/cline), bypassing standard security checks.
2. Cache Poisoning and Credential Theft
- The malicious package deployed Cacheract, a tool that flooded GitHub Actions caches with junk data.
- This evicted legitimate cache entries, allowing attackers to inject compromised workflows.
- The poisoned workflow exfiltrated NPM, VS Code Marketplace, and OpenVSX credentials.
3. Malicious Package Publication
- Using stolen credentials, attackers published
[email protected]with apostinstallhook. - The hook silently installed OpenClaw, an AI agent with full system access, during package installation.
- Approximately 4,000 developers unknowingly executed the payload before the package was removed.
Why Existing Controls Failed
Traditional security tools missed the attack due to its novel execution:
- npm Audit: The malicious package appeared legitimate, with no malware signatures.
- Code Review: Only
package.json changed, and diffs focused on binary files. - CI/CD Permissions: The AI bot had unrestricted access to execute shell commands.
Post-Mortem Lessons and Mitigations
Cline’s post-mortem identified critical gaps in their security practices:
- Eliminated GitHub Actions cache usage for credential workflows.
- Adopted OIDC-based provenance attestations for npm packages.
- Implemented formal vulnerability disclosure processes with SLAs.
Broader Implications for AI in CI/CD
This attack highlights risks of AI agents processing untrusted input in CI/CD pipelines. Key takeaways:
- Never trust input from external sources (e.g., GitHub issues, pull requests).
- Use cryptographic attestation for package publishing workflows.
- Monitor postinstall hooks and lifecycle scripts for unexpected behavior.
Conclusion: Securing the AI-Driven Supply Chain
The Clinejection incident underscores the need for robust security practices in AI-integrated workflows. Developers must assume that any text input—whether a GitHub issue title or a chatbot prompt—could be weaponized. By adopting provenance-based security, limiting AI agent privileges, and auditing postinstall scripts, teams can mitigate similar risks.
Call to Action
Review your CI/CD pipelines for AI agents with unrestricted access. Audit npm packages for postinstall hooks and ensure credential workflows use short-lived tokens. Stay informed about emerging threats in the AI-driven development ecosystem.








