๐Ÿƒ journaleaf

AI Coding Agents Have CI/CD Access Now โ€” Here's What Went Wrong in 2026

5 min read

AI CodingSecurity

AI coding agents don't just autocomplete anymore. Plugged into GitHub Actions, they can read an issue, decide it needs a code change, run tests, and open a pull request โ€” all without a human in the loop. Some setups go further and let an agent publish a package release. That's a real productivity gain, and it's also a new kind of attack surface, because everything the agent reads (issue titles, PR descriptions, README files) is untrusted text from the internet, and untrusted text that an AI agent treats as instructions is exactly what prompt injection exploits. 2026 produced several concrete examples of what that looks like when it goes wrong, and they're worth understanding if you're using or considering these tools.

The Cline incident

Cline is a popular open-source AI coding agent distributed as a VS Code extension and an npm CLI package. In February 2026, security researcher Adnan Khan disclosed a vulnerability chain he called "Clinejection." Cline's repository used a Claude-based bot to automatically triage new GitHub issues, and that triage workflow would act on text inside the issue itself. Khan showed that a crafted issue title could inject instructions the bot would follow, and that those instructions could be used to poison the GitHub Actions cache shared between workflows โ€” pivoting from the low-privilege triage job into the publish workflows that held Cline's npm and VS Code Marketplace publishing tokens.

The vulnerability window ran from December 21, 2025 to February 9, 2026, when Khan disclosed it. But on February 17, before the underlying issue was fully closed off, someone used a stolen token to publish a malicious version of the package, cline@2.3.0. The only change was a postinstall script that silently ran npm install -g openclaw. It stayed live for about eight hours โ€” roughly 3:26 AM to 11:30 AM Pacific โ€” and was downloaded around 4,000 times before Cline caught it and deprecated the version. The CLI itself wasn't tampered with; the damage was entirely in that one extra install step, which is exactly the kind of change that's easy to miss in a routine version bump. Cline's response afterward was blunt: it removed the automated issue/PR bot review workflow entirely and stripped the shared cache out of its release pipeline.

Anthropic's Claude Code Action had two separate issues

Cline wasn't the only agent with this class of problem. Anthropic's own claude-code-action for GitHub โ€” the official way to run Claude Code inside a CI workflow โ€” had two distinct vulnerabilities disclosed and fixed in 2026.

The first, reported by researcher RyotaK of GMO Flatt Security in January 2026, was a permission-check bypass: the action assumed any GitHub account or app was trustworthy if it merely looked like a "bot" account, when in reality anyone can register a GitHub App and use its token against a public repository. Combined with indirect prompt injection, an attacker could get Claude to read /proc/self/environ and leak credentials from the workflow's environment. Anthropic fixed the core bypass within four days of the report, rated the combined issues 7.8 on CVSS v4.0, paid a bug bounty, and shipped further hardening through the spring in claude-code-action v1.0.94 and later.

The second, found separately by Microsoft Threat Intelligence and reported in April 2026, was narrower but related: the action's Bash tool ran inside a sandbox that scrubbed environment variables, but its Read tool didn't get the same treatment, so a prompt-injected instruction to "read" a process's environment file could still pull out an ANTHROPIC_API_KEY. Anthropic mitigated it on May 5, 2026, in Claude Code 2.1.128, by blocking reads from /proc/ paths outright.

Neither flaw is known to have been exploited against Anthropic's own repository the way Cline's was. But the pattern is the same in both cases: an agent with shell or file-read access, fed untrusted text, found a path to credentials it was never supposed to touch.

The warning about what's coming next

At the end of June, Mozilla's threat research group published a proof-of-concept showing a variant that doesn't even need a compromised CI workflow. A malicious repository can contain setup instructions that look completely ordinary, paired with a package engineered to fail on first run and prompt the developer (or their AI agent) to run an "initialization" command. That command fetches and executes a payload retrieved through DNS TXT records โ€” a channel that's effectively invisible to code review and to most static analysis tools, and one the AI agent itself has no reason to flag, because nothing about the request looks unusual to it. Mozilla's core recommendation was blunt: treat setup scripts in unfamiliar repositories as untrusted code, regardless of what your AI tool tells you about them.

What this actually means if you use these tools

None of this is an argument against AI coding agents โ€” it's an argument against giving them more trust than the access they need. A few things worth doing if you're running one in CI or letting it operate autonomously:

  • Don't let a triage or issue-handling bot share credentials or caches with your publish/release pipeline. That's the exact chain both Cline and the Claude Code Action bypass relied on.
  • Scope tokens narrowly and rotate them. A workflow that only needs to comment on issues shouldn't have access to an npm publish token, full stop.
  • Treat any text an agent reads from outside your control โ€” issue titles, PR descriptions, READMEs, error messages from a package you just installed โ€” as untrusted input, the same way you'd treat unsanitized user input in a web app.
  • Keep human review on anything that touches secrets or publishes artifacts, even if the rest of the workflow runs autonomously.

The tools that make agentic coding useful โ€” shell access, the ability to act on plain-language instructions, autonomy to run multi-step workflows โ€” are the same properties that make these attacks possible. That trade-off isn't going away, so the practical move is architecting around it rather than hoping this year's patches were the last ones needed.

Sources: The Hacker News on the Claude Code Action flaw, Microsoft Security Blog, Adnan Khan's Clinejection writeup, The Hacker News on the Cline CLI compromise, Help Net Security on Mozilla's warning.