A single GitHub issue title. One tampered line in package.json. Eight hours of silent compromise.
On February 17, 2026, roughly 4,000 developers ran npm install -g cline and unknowingly installed OpenClaw on their machines. OpenClaw is a fully autonomous AI agent with unrestricted disk access, shell execution, and messaging integration.
The Cline CLI is the command-line interface for one of the most popular AI coding assistants out there, with over 5 million users. It was hijacked through a sentence in a GitHub issue.
An AI agent was compromised by an AI agent to deploy an AI agent.
What Happened
At 3:26 AM Pacific Time on February 17, 2026, someone used a compromised npm publish token to push cline@2.3.0 to the npm registry. They modified exactly one file, package.json, adding a single postinstall script.
A corrected version (2.4.0) was published at 11:23 AM PT.
The Four-Stage Kill Chain: How Clinejection Worked
Stage 1: The Vulnerable AI Issue Triager
On December 21, 2025, Cline's maintainers added an AI-powered issue triage workflow using claude-code-action with broad tool permissions including Bash execution.
Stage 2: Prompt Injection via Issue Title
The issue title was interpolated directly into Claude's prompt without sanitization. An attacker could craft a title containing embedded commands.
