Novel AI-Powered Attack Hits 4,000 Devs

The attack began with a prompt injection payload concealed within the title of a GitHub issue, targeting an AI-powered triage bot that used Anthropic's Claude model. This allowed the attacker to trick the bot into executing arbitrary code, the first step in a multi-stage assault. The initial code execution was used to poison the GitHub Actions cache. By filling the cache with junk data, the attacker forced an eviction of legitimate entries and then inserted a malicious entry designed to be picked up by a more privileged nightly release workflow. This poisoned cache entry allowed the attacker to steal production secrets, including npm, Visual Studio Code Marketplace, and OpenVSX publishing tokens. An unknown actor then used these stolen credentials on February 17, 2026, to publish a malicious version of the Cline CLI package. The compromised package, version 2.3.0, included a post-install script that automatically and silently installed "OpenClaw," a separate autonomous AI agent, on any machine that updated during an eight-hour window. Data from StepSecurity indicates the tainted package was downloaded approximately 4,000 times before being removed. Security researcher Adnan Khan had discovered and reported the vulnerability chain to Cline on January 1, 2026, but received no response for over five weeks. After Khan's public disclosure on February 9, Cline patched the initial vulnerability within 30 minutes but failed to properly rotate all the compromised credentials, leaving an opening for the subsequent attack. This incident is part of a costly trend, with software supply chain attacks projected to cost businesses $80.6 billion in 2026. The global cost of such attacks is expected to climb to nearly $138 billion by 2031.