Summary

Adnan Khan reveals a sophisticated attack on the Cline GitHub repository, exploiting prompt injection vulnerabilities in AI-driven issue triage workflows. The attack allowed an anonymous assailant to compromise production releases through clever manipulation of issue titles.

Key Points

• The attack exploited the anthropics/claude-code-action@v1 action used for issue triage in Cline's GitHub repository.
• Attackers could execute arbitrary commands by crafting specific issue titles, leading to a prompt injection attack.
• The npm install command targeted a malicious package that could run any code via a 'preinstall' script.
• Cline's issue triage workflow and nightly release workflow shared the same cache key, enabling cache poisoning.
• An anonymous attacker published a compromised version of Cline ([email protected]), which included OpenClaw installation but did not perform more harmful actions.
• Cline's failure to address the responsibly disclosed bug report led to the exploitation of their system.

Analysis

This incident highlights the vulnerabilities associated with AI-powered workflows, particularly in open-source environments. The ability to manipulate issue titles to execute commands poses significant risks, especially when workflows share cache keys.

Conclusion

IT professionals should implement stricter validation and sanitization measures for inputs in AI-driven systems and ensure that workflows do not share cache keys to prevent cache poisoning attacks.