How “Clinejection” Turned an AI Bot into a Supply Chain Attack

In February 2026, a vulnerability chain called "Clinejection" was publicly disclosed by security researcher Adnan Khan in the Cline repository, exploiting a popular AI coding tool's issue triage bot as a supply chain attack vector. The vulnerability was exploited to publish an unauthorized version of the Cline CLI to npm, which installed the OpenClaw AI agent on developer machines during an eight-hour window. The attack combined several known vulnerabilities, including indirect prompt injection and GitHub Actions cache poisoning, highlighting the potential risks of combining AI agents with CI/CD systems. Although the impact on Cline's users was limited, with the unauthorized version live for only eight hours and the payload not overtly destructive, the incident underscored the potential for more significant damage. It emphasized the importance of robust security measures, such as minimizing tool access and thoroughly verifying credential rotation, in AI-assisted coding environments. Following the incident, Cline moved npm publishing to OIDC provenance via GitHub Actions to mitigate risks, and Snyk continued its efforts to secure AI agent supply chains through various tools and research initiatives.