A single GitHub issue title compromised 4,000 developer machines through a sophisticated supply chain attack. On February 17, 2026, an attacker published [email protected] to npm with a malicious postinstall script that silently installed OpenClaw, a separate AI agent with full system access, on every machine that updated the package.

Security researcher Adnan Khan had actually discovered the vulnerability chain in December 2025 but received no response from Cline after reporting it via GitHub Security Advisory. When Khan publicly disclosed the issue on February 9, Cline patched within 30 minutes by removing the AI triage workflows. However, a botched credential rotation left the exposed npm token active long enough for the attacker to publish the compromised package six days later.

The attack chain began with prompt injection in a GitHub issue title that an AI triage bot executed, leading to cache poisoning, credential theft, and ultimately malicious npm publishing. This created a recursion problem where one AI tool silently bootstrapped a second AI agent on developer machines without consent. The incident exposed fundamental gaps in existing security controls like npm audit, code review, and permission prompts, while highlighting the risks of AI agents processing untrusted input in CI/CD environments.