DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9PPG-JX86-FQW7: Clinejection: When AI Agents Go Rogue and Poison Your Supply Chain

#security #cve #cybersecurity #ghsa

Clinejection: When AI Agents Go Rogue and Poison Your Supply Chain

Vulnerability ID: GHSA-9PPG-JX86-FQW7
CVSS Score: 9.9
Published: 2026-02-19

In a twist of irony that would make a cyberpunk author blush, the popular VS Code extension 'cline' was compromised not by a buffer overflow or a weak password, but by its own helpful AI assistant. By leveraging a Prompt Injection vulnerability within a GitHub Actions workflow, an attacker forced the repository's AI agent to execute arbitrary Bash commands. This initial foothold allowed the attacker to poison the GitHub Actions cache, pivot to a high-privileged release workflow, steal NPM publishing tokens, and push a malicious version (2.3.0) to the npm registry. This is a masterclass in modern CI/CD exploitation: utilizing 'Agentic AI' as a naive, over-privileged accomplice.

TL;DR

A GitHub Action using an AI agent (Claude) to triage issues was vulnerable to prompt injection via issue titles. An attacker used this to execute shell commands, poison the repository's build cache, steal publication secrets during the next release cycle, and publish a compromised version of the package.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: AI Prompt Injection -> CI/CD Cache Poisoning
  • CWE ID: CWE-94 (Code Injection)
  • CVSS Score: 9.9 (Critical)
  • Impact: Supply Chain Compromise, Credential Theft
  • Exploit Status: Proof of Concept (Publicly Disclosed)
  • Affected Component: claude-issue-triage.yml

Affected Systems

  • npm registry
  • GitHub Actions
  • VS Code Extension Marketplace
  • Developer Workstations (installing cline)
  • cline: = 2.3.0 (Fixed in: 2.3.1)

Exploit Details

  • Adnan Khan Blog: Detailed write-up of the 'Clinejection' technique and PoC.

Mitigation Strategies

  • Remove AI-driven workflows that process untrusted input with privileged tools.
  • Implement strict cache scoping to prevent low-privilege workflows from writing to high-privilege cache keys.
  • Require manual approval for any workflow that has access to deployment secrets.

Remediation Steps:

  1. Delete the claude-issue-triage.yml workflow file immediately.
  2. Revoke NPM_RELEASE_TOKEN, VSCE_PAT, and OVSX_PAT tokens.
  3. Unpublish cline@2.3.0 from npm.
  4. Audit GitHub Actions logs for large cache write events (~10GB) coinciding with issue creation.

References

Read the full report for GHSA-9PPG-JX86-FQW7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)