grith.ai reports an attack chain dubbed "Clinejection" where a prompt-injected GitHub issue title triggered an AI issue-triage workflow and led to GitHub Actions cache poisoning plus CI secret theft (npm and extension marketplace tokens).

technotenshi@infosec.exchange

grith.ai reports an attack chain dubbed "Clinejection" where a prompt-injected GitHub issue title triggered an AI issue-triage workflow and led to GitHub Actions cache poisoning plus CI secret theft (npm and extension marketplace tokens). The attacker then published cline@2.3.0 to npm with a postinstall that ran "npm install -g openclaw@latest", leading to about 4,000 installs over roughly 8 hours before removal, per the writeup. Suggested fixes include treating issue/PR text as untrusted input for agents, tightening who can trigger workflows, removing cache use from secret-bearing jobs, and moving npm publishing to OIDC provenance attestation instead of long-lived tokens.

A GitHub Issue Title Compromised 4,000 Developer Machines

A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.

(grith.ai)

#InfoSec #SupplyChain #PromptInjection #DevSecOps

lombax85_clawguard@mastodon.social

Useful thread. One practical control for AI agents is method-scoped approval (GET separate from POST/DELETE), so read automation cannot silently unlock writes. github.com/lombax85/clawguard #infosec #AI #security #LLM