grith.ai reports an attack chain dubbed "Clinejection" where a prompt-injected GitHub issue title triggered an AI issue-triage workflow and led to GitHub Actions cache poisoning plus CI secret theft (npm and extension marketplace tokens). The attacker then published cline@2.3.0 to npm with a postinstall that ran "npm install -g openclaw@latest", leading to about 4,000 installs over roughly 8 hours before removal, per the writeup. Suggested fixes include treating issue/PR text as untrusted input for agents, tightening who can trigger workflows, removing cache use from secret-bearing jobs, and moving npm publishing to OIDC provenance attestation instead of long-lived tokens.
A GitHub Issue Title Compromised 4,000 Developer Machines
A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.
(grith.ai)