A prompt injection vulnerability in Cline's Claude Issue Triage workflow enabled attackers to compromise production Cline releases and infect approximately 4,000 developer machines between December 21, 2025 and February 9, 2026. The attack represents the first documented agent-on-agent supply chain attack, where natural language instructions in a GitHub issue title weaponized one AI agent against another.
Vulnerability Went Unpatched for Five Weeks Despite Security Report
Security researcher Adnan Khan reported the vulnerability via GitHub Security Advisory on January 1, 2026, sending multiple follow-ups over five weeks with no response from maintainers. On February 17, 2026 at 3:26 AM PT, an unauthorized party exploited the vulnerability to publish a compromised version of Cline (v2.3.0) using a stolen npm token. The malicious package was downloaded approximately 4,000 times during an eight-hour window before detection.
The attack chain exploited multiple system components:
- Prompt injection through malicious GitHub issue titles
- AI triage bot interpretation of attacker instructions
- GitHub Actions cache poisoning to access publish workflows
- Credential theft of VSCE_PAT, OVSX_PAT, and NPM_RELEASE_TOKEN secrets
- Malicious payload deployment through modified package.json postinstall scripts
Natural Language Serves as Both Entry Point and Payload
The attack exploited the fundamental architecture of AI coding agents by injecting instructions into files that agents routinely read. When Cline's AI triage bot processed GitHub issue titles, it interpreted embedded malicious prompts as legitimate commands and executed them. The compromised npm package installed OpenClaw on developer machines through a postinstall script, then injected additional instructions into .clineignore and rule files to compromise secondary AI agents.
Cline maintainers implemented immediate mitigations on February 9, 2026, less than one hour after public disclosure. These included removing issue and pull request bot review workflows from the repository, eliminating actions/cache from publish workflows handling release credentials, and rotating all relevant authentication tokens.
Security Community Identifies New Class of AI Agent Vulnerabilities
The Clinejection attack demonstrates what security researchers describe as "the confused deputy problem, applied to agents." Unlike traditional software vulnerabilities requiring exploit code or remote code execution, this attack used only natural language text that AI agents interpreted as commands. The incident raises concerns about the security implications of integrating AI agents into CI/CD pipelines and automated workflows, as documented in recent research on prompt injection attacks on agentic coding assistants.
The attack required no sophisticated technical exploits—just a GitHub account and knowledge of how AI agents process natural language instructions. This accessibility significantly lowers the barrier for similar attacks targeting other AI-powered development tools and workflows.
Key Takeaways
- A prompt injection vulnerability in Cline's AI triage workflow allowed attackers to compromise 4,000 developer machines through a malicious npm package
- The vulnerability was reported on January 1, 2026 but went unpatched for five weeks before exploitation on February 17, 2026
- The attack represents the first documented agent-on-agent supply chain attack, using natural language as both entry point and payload
- Attackers used GitHub issue title prompt injection to steal credentials and publish compromised cline@2.3.0, downloaded 4,000 times in eight hours
- The incident highlights a new vulnerability class where AI agents can be weaponized against other AI agents through natural language injection