Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cline is CLI npm package that is a simple AI assistant. Recently, it experienced a supply chain compromise via a unique prompt-injection bug.

The package used the GitHub Action claude-code-action to trigger actions when users create an issue. This executed some code in the repository's context, but not much else is said. The title and description were given directly to Claude for usage. However, the title was able to hijack Claude's actions using this input.

The AI bot was instructed to install a malicious npm package. Claude did what it was told and installed a typo-squatter package glthub-actions/cline. The fork oft he regular package contained a package.json with a preinstall script that executed a remote shell.

The attacker then used the bash script Cacheact to poison the cache. In particular, this tool can be used to persist information in the build pipeline. So, the intended build was not run during a daily release Action; it was the poisoned one. Using these privileges, they told the NPM_RELEASE_TOKEN and several other tokens.

The NPM token was used to publish the malicious NPM module. The client version installed a script that installed OpenClaw via a postinstall hook. The version was only live for 14 minutes before StepSecurity identified the issue and removed it within 8 hours.

The story gets crazier, though: the maintainers attempted to rotate the stolen credentials but deleted the WRONG token. So, the token remained active long enough for a new version to be deployed 6 days later. Apparently, this had been reported to the project by Adnan Khan in December of 2025, but it was never acknowledged. A threat actor found the PoC on his test repository and exploited the bug themselves.

StepSecurity catches this so fast is fascinating. First, the published differs from normal patterns. In the usual case, the project used OIDC trusted publishing instead of human publishing. Next, legitimate releases use attestations to verify the package's legitimacy, which also wasn't present. Finally, the postinstall script was malicious and made no sense in this context.

StepSecurity included a few steps for enterprise customers to protect themselves. First, use a cooldown period to ensure a newly updated package isn't being used. They also have a GitHub actions runner hardening process to make this more difficult to perform as well.

Cline took the exploit seriously and made some changes. First, they disabled caching where credentials are being used. Next, they started using provenance attestations for npm publishing. Finally, they improved their security process with SLAs, verification requirements on credential rotation, and got third-party audits of the infra. Going forward, I expect to see more of these completely automated flows getting compromised like this.