{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibpqgajhjrzk2o26nsgjsuizdfaz7x5q242fzdgmmncagzbcckzaa",
    "uri": "at://did:plc:b3tz6srl4ochk2wxn6dv6xpy/app.bsky.feed.post/3mgdqrfbnmng2"
  },
  "path": "/Articles/1061548/",
  "publishedAt": "2026-03-05T19:21:21.000Z",
  "site": "https://lwn.net",
  "tags": [
    "reports"
  ],
  "textContent": "The grith.ai blog reports on an LLM prompt-injection vulnerability that led to 4,000 installations of a compromised version of the Cline utility.\n\n> For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled.\n>\n> The interesting part is not the payload. It is how the attacker got the npm token in the first place: by injecting a prompt into a GitHub issue title, which an AI triage bot read, interpreted as an instruction, and executed.",
  "title": "A GitHub Issue Title Compromised 4,000 Developer Machines (grith.ai)"
}