The Week Prompt Injection Became a Supply Chain Weapon

On February 17, 2026, someone filed a GitHub issue with a carefully crafted title. No exploit code in the body. No malicious attachment. Just a title.

The title contained a prompt injection payload. An AI-powered triage bot read it, interpreted the embedded instructions as its own task, and executed code. That code poisoned the CI/CD cache, extracted npm publish tokens, and pushed a compromised package to the npm registry as cline@2.3.0.

Approximately 4,000 developers installed the malicious package in eight hours before it was pulled. The attack has a name now: Clinejection. It deserves attention not because of its scale (the Cline CLI package had 418,000 monthly downloads, not the 5 million installs of the VS Code extension), but because of what it reveals about the security assumptions baked into every AI-assisted development workflow running today.

The Seven Steps That Should Keep You Up at Night

The Clinejection attack chain had seven discrete steps. Each one is worth understanding, because the standard narrative (“prompt injection is dangerous”) obscures the more important structural lesson.

Step 1. Attacker files a GitHub issue with a prompt injection payload in the title.

Step 2. An AI triage bot reads the issue. The payload hijacks the bot’s execution context.

Step 3. The bot, now operating under attacker instructions, executes code within the CI/CD environment.

Step 4. That code poisons the CI/CD cache, establishing persistence.

Step 5. On the next build, the poisoned cache extracts npm publish tokens from the environment.

Step 6. Using those tokens, the attacker pushes cline@2.3.0 to the npm registry.

Step 7. Developers install the compromised package through normal dependency resolution.

Here is the structural observation that matters: prompt injection was the ignition, not the engine. The attack succeeded because of a chain of conventional misconfigurations. OIDC token authentication was enabled but legacy tokens were never disabled. When a suspicious token was revoked on February 9th, the wrong token was revoked. The CI/CD environment exposed publish credentials to processes that had no business accessing them.

Strip out the AI triage bot entirely. Replace step 1 with any other method of getting code execution in the CI/CD pipeline, and the rest of the chain works identically. The prompt injection was a novel entry point into an old problem: insufficiently segmented build infrastructure with overprivileged credentials.

Snyk’s research team calls this pattern a “toxic flow”: untrusted data entering an AI agent’s context where the agent also has tool access. The entry point was natural language rather than code. But the damage came from everything downstream of that entry point. Conventional infrastructure problems, amplified by a new attack vector.

Same Week, Every Layer

The Clinejection attack did not happen in isolation. The same seven-day window produced security incidents at every layer of the AI stack. These events are unrelated to each other. Nobody coordinated them. But their simultaneity tells a story about how fast AI tools have been integrated into infrastructure without corresponding security adaptation.

Device layer. ESET researchers published findings on PromptSpy, the first documented Android malware that uses a generative AI model (Google’s Gemini) for adaptive behavior. PromptSpy uses VNC for remote device control and Gemini to dynamically manipulate UI elements and maintain persistence. It targets users in Argentina. Zero telemetry detections so far, meaning it is proof-of-concept stage, not an active threat. But the concept matters: malware that uses an LLM to adapt its behavior at runtime is qualitatively different from static malware with hardcoded logic.

Application layer. Since January 21, 2026, Microsoft has been tracking a Copilot DLP bypass (case CW1226324) where Copilot summarized emails labeled as confidential from users’ Sent and Drafts folders. Microsoft’s official response stated that Copilot “did not provide access to unauthorized information.” This is technically true in the narrowest possible reading. The user had access to their own sent emails. But summarizing confidential-labeled content and presenting it in a new context defeats the purpose of the confidentiality label. The European Parliament, apparently unconvinced by Microsoft’s framing, blocked AI assistants on lawmakers’ devices.

Framework layer. CVE-2026-26030 earned a CVSS score of 9.9: a remote code execution vulnerability in Microsoft’s Semantic Kernel Python SDK. The root cause was an eval() call in the InMemoryVectorStore filter implementation. An eval() in a data query path. The real-world risk is lower than the CVSS score suggests because Semantic Kernel’s in-memory vector store is primarily a development and testing tool. But the vulnerability illustrates a pattern: AI framework developers, under pressure to ship features quickly, sometimes reach for shortcuts that would be rejected in any mature security review.

Institutional layer. On February 14th, the Department of Homeland Security initiated a shutdown that left CISA operating at 38% capacity (888 of 2,341 staff). The agency responsible for coordinating the national response to exactly the kind of attacks described above was running with fewer than half its people during the same week those attacks were happening.

The Dual-Use Convergence

The week’s most important signal was not any single attack. It was the simultaneous appearance of AI as both weapon and defense.

On February 20th, Anthropic launched Claude Code and reported that its AI systems had found over 500 previously unknown software vulnerabilities. Self-reported number, so apply appropriate skepticism. But the directional claim is consistent with what every major AI lab reports: these models are genuinely good at finding bugs.

The same capability that finds bugs for defenders finds bugs for attackers. The same language understanding that powers a helpful triage bot powers the prompt injection that hijacks it. Snyk’s ToxicSkills research found that 36% of AI agent skills on ClawHub contain security flaws. The tools we build to help us are the tools that can be turned against us.

Yuval Zacharia captured this precisely: “The agent is the implant, and plain text is the protocol.”

This is not a warning about AI becoming dangerous in some future scenario. It is a description of the current state. According to Microsoft’s Cyber Pulse report (February 10), 80% of Fortune 500 companies run active AI agents in production. According to Microsoft’s Data Security Index (January 29, a different report), only 47% of organizations have GenAI-specific security controls. Those two numbers, from two separate Microsoft studies, describe the deficit directly. The majority of large enterprises have AI agents running. Less than half have security controls designed for them.

What Clinejection Actually Teaches

The temptation is to frame this week as evidence that “every layer of AI is under attack.” That framing is dramatic and mostly unhelpful. These were unrelated incidents that happened to cluster in time. The honest reading: AI tools have been integrated into production infrastructure faster than security practices have adapted.

Clinejection teaches three specific lessons.

First, prompt injection is now a supply chain vector. Before February 17th, prompt injection was primarily discussed as a model-level problem: tricking a chatbot into saying something it shouldn’t. Clinejection demonstrated that prompt injection in an automated pipeline can lead to credential theft and package compromise. The attack surface moved from the model to the infrastructure the model touches.

Second, AI security is not a separate discipline. The Clinejection attack succeeded because of credential management failures, insufficient CI/CD isolation, and missing token rotation policies. These are conventional security problems. The AI triage bot was simply the newest, most convenient door into an already poorly secured building. Organizations that treat “AI security” as a specialized function separate from infrastructure security will miss exactly this kind of compound attack.

Third, the velocity mismatch is the real risk. AI tools are being deployed into CI/CD pipelines, email systems, development workflows, and production infrastructure at a pace that outstrips governance adaptation. Not because governance is impossible, but because the adoption decision is typically made by a team optimizing for productivity, and the security review happens later. Or never.

Kiteworks’ 2026 research found that 63% of organizations cannot enforce purpose limitations on their AI agents. Sixty percent cannot terminate misbehaving agents. These are not hypothetical concerns. They are measurements of current capability in production environments.

The Structural Question

The week of February 17th did not introduce new categories of risk. Prompt injection has been studied for years. Supply chain attacks have been studied for decades. CI/CD credential exposure is a known, documented, repeatedly exploited class of vulnerability.

What changed is that these categories now intersect. An AI bot reads untrusted input, acts on it with real credentials, and publishes the result to a package registry that thousands of developers trust implicitly. Each link in that chain was well-understood individually. Nobody governed the chain as a whole.

That is the structural question for every organization running AI agents in production: have you governed the chain, or only the individual links?

If the answer requires more than a moment’s thought, you already know what it is.

---

At Victorino, we help organizations govern AI systems before the compound failures arrive. If your AI agents touch CI/CD pipelines, package registries, or production infrastructure, let’s talk about what a governed chain looks like.