Prompt injection is no longer a chatbot problem. In Q1 2026, two incidents confirmed that injection vectors have moved upstream into the tools engineers use to build software — the IDE plugins, AI coding agents, and open-source proxy libraries most teams added to increase velocity, not threat surface.
The OpenClaw/Cline GitHub issues attack (Clinejection) showed that a single maliciously crafted GitHub issue title could kick off a full supply chain compromise. The LiteLLM/Mercor breach showed that a trusted AI infrastructure library with 3.4 million daily downloads could be weaponised in forty minutes, hitting over a thousand SaaS environments before PyPI could quarantine the package.
Together, these incidents mark the developer tooling layer as a structural attack surface for prompt injection. If you want the full scope of the 2026 injection attack surface, the picture is broader still.
This article covers how both attacks worked, how they map to OWASP’s formal classification, and the single preventive control that would have stopped the LiteLLM breach.
When the Attack Arrives Through Your IDE, Not Your User Interface
The defining pattern of 2026 supply chain injection is that the attack surface has moved into the developer tooling stack.
These tools ingest external content — repository issues, package dependencies, cached build artefacts — automatically. When an AI coding assistant reads GitHub issues for context, every issue is a potential instruction surface. The attack surface spans three categories most engineering teams adopted without treating as security perimeter components: IDE extensions such as Cline, AI proxy libraries such as LiteLLM, and the CI/CD automation connecting them.
OpenClaw and Cline — How GitHub Issues Became an Injection Delivery System
The Clinejection attack chain was named by security researcher Adnan Khan — private GHSA submitted 1 January 2026, public disclosure 9 February after no vendor response, patched within one hour. Advisory: GHSA-9ppg-jx86-fqw7.
The entry point was Cline’s automated issue-triage workflow, built on anthropics/claude-code-action@v1 with allowed_non_write_users: "*" — any GitHub user could trigger Claude with Bash, Write, and Edit permissions just by submitting a public issue.
Here’s what the attack chain looked like:
- A maliciously crafted issue title injected instructions into Cline’s workflow via indirect prompt injection.
- Injected instructions deployed Cacheract, which floods the GitHub Actions cache past the 10 GB LRU eviction limit, replacing legitimate entries with poisoned content.
- The higher-privilege nightly release workflow (
publish-nightly.yml) consumed the poisoned cache, exposingVSCE_PAT,OVSX_PAT, andNPM_RELEASE_TOKEN. - Those credentials published malicious
[email protected], whose postinstall script silently installed OpenClaw on an estimated 4,000+ developer machines in an approximately 8-hour window.
OpenClaw — formerly Clawdbot/Moltbot — is not inherently malicious, but its architecture makes it a high-value payload: a persistent background daemon with broad system permissions and CVE-2026-25253 (operator privilege escalation without authentication). StepSecurity detected the anomaly within 14 minutes via the absence of OIDC provenance attestations.
LiteLLM and Mercor — Forty Minutes, a Thousand SaaS Environments
The LiteLLM/Mercor breach took a different path but followed the same structural pattern: a trusted AI infrastructure component became the initial access point.
TeamPCP exploited a pull_request_target vulnerability in Trivy — a vulnerability scanner sitting in LiteLLM’s CI/CD pipeline — to steal maintainer credentials. On 24 March 2026, malicious LiteLLM versions 1.82.7 and 1.82.8 hit PyPI via the stolen PYPI_PUBLISH token. PyPI quarantined the package roughly 40 minutes later, though cache propagation extended effective exposure to three hours in some environments. LiteLLM is present in an estimated 36% of all cloud environments (Wiz Research). Mandiant at RSAC 2026 put cascading effects across 1,000+ SaaS environments.
The breach (CVE-2026-33634) cascaded to Mercor — an AI training data startup sourcing proprietary data for OpenAI, Anthropic, and Meta — via TeamPCP’s collaboration with [Lapsus](https : //en.wikipedia.org/wiki/Lapsus), which claimed 4 TB of stolen data. Meta paused all Mercor contracts on 3 April 2026.
LiteLLM held SOC 2 and ISO 27001 certifications from Delve Technologies. Neither detected the unpinned CI/CD dependency — compliance certifications don’t require cryptographic dependency pinning, and the breach made that gap visible at scale.
The MCP Attack Surface — Malicious Servers and Rug Pull Mutations
The same dynamic extends to the Model Context Protocol (MCP), which introduces two distinct supply chain threat classes.
Class D1 — Malicious MCP Servers: an adversary-controlled server injects adversarial instructions via tool outputs — analogous to a poisoned npm package, but targeted at agent tool-call chains rather than build pipelines.
Class D2 — Rug Pull Mutations: a post-installation attack where an MCP server’s behaviour changes server-side after trust is established — tool definitions silently redefined without triggering re-authorisation. Catalogued in the OWASP MCP Security Cheat Sheet.
D1 is detectable at install time through provenance verification. D2 requires runtime monitoring — a control most current MCP implementations simply don’t have. Flowise CVE-2025-59528 illustrates the intersection: an attacker-controlled MCP server serving as both injection delivery and RCE vector (Flowise CVE-2025-59528 analysis).
OWASP LLM03 — How Supply Chain Injection Fits the Formal Taxonomy
OWASP LLM03:2025 (Supply Chain Vulnerabilities) covers vulnerabilities from dependencies, plugins, pre-trained models, and deployment infrastructure for LLMs. Both incidents map to it: both attacks entered through trusted supply chain components, not direct model interfaces.
LLM03 is distinct from LLM01:2025 (Prompt Injection): LLM01 covers attacks on the model’s input interface; LLM03 covers attacks on the infrastructure that reaches it. Clinejection sits across both — indirect injection delivered through the developer tooling layer. Where the OWASP LLM03 classification fits within the broader LLM taxonomy is covered in the companion OWASP LLM01 article.
Formal CVE assignments confirm institutional recognition: CVE-2026-33634 (LiteLLM), CVE-2026-25253 (OpenClaw), GHSA-9ppg-jx86-fqw7 (Clinejection). Tracked at the same level as traditional software vulnerabilities.
What Dependency Pinning Does — and What It Doesn’t Cover
Dependency pinning — locking packages to specific, cryptographically-hashed versions via lockfiles — would have stopped the LiteLLM/Mercor breach outright. Organisations with LiteLLM pinned got an automatic hash mismatch rejection on 1.82.7 and 1.82.8 before any code executed. It’s a CI/CD configuration change any team can make without a security specialist.
It doesn’t cover everything, though. Clinejection exploited CI/CD configuration and AI agent permissions, not a dependency update path. MCP rug pull mutations are invisible to it. Direct credential compromise before pinning is established remains an open exposure.
Complementary controls fill the gaps: OIDC/Trusted Publishing catches anomalous publication events; SBOM and AIBOM provide inventory visibility; AI agent permission scoping limits blast radius. Any unpinned AI infrastructure dependency is an open exposure in the same class as the one that hit Mercor.
For how injection expanded beyond chatbot interfaces into the full scope of the 2026 injection attack surface, the series hub covers the complete landscape. For enterprise defence product mitigations, see the IDE-level and supply chain mitigations available in enterprise defence products.
Frequently Asked Questions
What is Clinejection and who discovered it?
Clinejection is security researcher Adnan Khan’s name for the attack targeting Cline’s AI issue-triage workflow — indirect prompt injection via a GitHub issue title, chained through cache poisoning to steal publication credentials and ship OpenClaw. Private GHSA submitted 1 January 2026, public disclosure 9 February after no vendor response, patched within one hour. Advisory: GHSA-9ppg-jx86-fqw7.
What is indirect prompt injection and how is it different from direct prompt injection?
Indirect prompt injection is when attacker-controlled content in an external source — a GitHub issue, a document, a web page — is ingested by an AI agent and executed as instructions, without the attacker touching the AI directly. Direct injection means the attacker crafted the input themselves. Clinejection is the clearest documented example of indirect injection chained into a full supply chain compromise.
How did GitHub Actions cache poisoning work in the Clinejection attack?
Injected instructions directed Claude to deploy Cacheract, flooding the GitHub Actions cache past the 10 GB LRU eviction limit and replacing legitimate entries with poisoned content, consumed by the higher-privilege release workflow to gain access to publication secrets.
Why was OpenClaw the payload, and is it inherently malicious software?
OpenClaw installs a persistent daemon with broad system permissions. Not inherently malicious, but CVE-2026-25253 (CVSS 8.8) lets an attacker gain full operator-level access via a crafted WebSocket handshake. It survives reboots and persists after Cline is removed.
What is CVE-2026-33634 and which versions of LiteLLM are affected?
CVE-2026-33634 covers LiteLLM versions 1.82.7 and 1.82.8 (published 24 March 2026 via a compromised Trivy GitHub Action). Organisations with lockfile pinning were protected regardless of specified versions.
Who is TeamPCP and what is their relationship to Lapsus$?
TeamPCP (PCPcat/ShellForce/DeadCatx3) ran the Trivy → LiteLLM → Mercor chain, collaborating with Lapsus$, which claimed the 4 TB Mercor theft. Mandiant cited cascading effects across 1,000+ SaaS environments at RSAC 2026.
What data was stolen in the Mercor breach?
Approximately 4 TB: AI training source code, contractor PII, and video interviews. Mercor sourced data for OpenAI, Anthropic, and Meta. Meta paused all Mercor contracts on 3 April 2026.
What is the difference between a malicious MCP server and an MCP rug pull mutation?
A malicious MCP server (Class D1) injects adversarial instructions from the point of first installation. An MCP rug pull mutation (Class D2) changes a legitimate server’s behaviour server-side after trust is established — tool definitions silently redefined without re-authorisation. D1 is detectable at install time; D2 requires runtime monitoring.
Does a SOC 2 or ISO 27001 certification protect against supply chain injection?
No. LiteLLM held both; neither detected the unpinned CI/CD dependency. Treat compliance as a baseline, not supply chain security assurance.
How quickly can a malicious npm or PyPI package reach developer machines?
[email protected] hit an estimated 4,000+ developers in roughly 8 hours. Malicious LiteLLM versions were live for about 40 minutes before quarantine. With auto-update behaviour and no cooldown checks, propagation outpaces human incident response.
What is OWASP LLM03:2025 and how does it relate to these incidents?
OWASP LLM03:2025 (Supply Chain Vulnerabilities) covers vulnerabilities from dependencies, plugins, and deployment infrastructure in LLM systems. Both incidents map to it — entered through trusted supply chain components, not direct model interfaces. It gives you the vocabulary to brief boards and compliance teams.
What is an SBOM or AIBOM and why is it relevant after these breaches?
An SBOM is a machine-readable inventory of all software components and dependencies. An AIBOM extends this to AI-specific components — models, datasets, proxies, agent frameworks. CycloneDX and SPDX 3.0 have been extended post-breach to cover AI infrastructure, giving you the dependency visibility to spot exposure before a breach notification arrives.
