A GitHub Issue Title Compromised 4k Developer Machines
5 hours ago
- #AI-security
- #npm-compromise
- #supply-chain-attack
- A malicious npm package '[email protected]' was published, which silently installed 'OpenClaw' globally on developers' machines.
- The attack exploited a GitHub issue title prompt injection to compromise an AI triage bot, leading to credential theft.
- Attackers used cache poisoning to evict legitimate GitHub Actions cache entries and steal npm tokens.
- The compromised npm token was used to publish the malicious package, affecting ~4,000 downloads before detection.
- The vulnerability was reported but ignored, and a botched credential rotation left the token exposed.
- The attack highlights risks of AI agents in CI/CD pipelines executing untrusted inputs with high privileges.
- Cline implemented post-mortem fixes, including OIDC provenance and eliminating cache usage in credential workflows.
- The incident underscores the need for per-syscall interception to evaluate AI agent operations against security policies.