Clinejection — Compromising Cline's Production Releases just by Prompting an Issue Triager (adnanthekhan.com)

Cline, an open-source AI coding tool, recently faced a serious security incident involving a prompt injection vulnerability in its issue triage workflow. An AI agent integrated into Cline's system enabled attackers, with merely a GitHub account, to potentially compromise production releases, allowing them to publish malicious updates to millions of developers using platforms like the Visual Studio Code Marketplace and OpenVSX. By leveraging GitHub Actions cache poisoning tactics, attackers could bypass security mechanisms and access sensitive publication secrets. This incident highlights critical vulnerabilities in CI/CD workflows that rely heavily on AI automation and external tools. The attack exploited the fact that the AI triage workflow allowed arbitrary code execution through user-generated prompts, facilitating cache manipulation. The implications for the AI/ML community are significant, as it underscores the importance of securing automated processes against injection attacks and clarifies the risks associated with integrating AI models into development lifecycles. Cline has since removed the vulnerable workflow, but users are advised to exercise caution and disable auto-updates until a thorough investigation confirms the absence of further security threats.