The Clinejection Attack: Why Agent Interfaces Need Purpose-Bound Authority
· 4 min read
4,000 developer machines. One GitHub issue title. Eight hours.
That's the Clinejection attack from last month. If you haven't read it, here's the chain: an attacker crafted a GitHub issue title containing an embedded instruction. An AI triage bot read it, interpreted it as legitimate, and executed npm install from a typosquatted repository. That triggered a cache poisoning attack that exfiltrated npm credentials. Six days later, 4,000 developers installed a compromised Cline release that silently bootstrapped a second AI agent on their machines — with shell access, credential access, and a persistent daemon surviving reboots.
Five steps. The entry point was natural language.