Cline AI Coding Assistant Suffers Supply Chain Attack

Over 600,000 developers using the Cline AI coding assistant found themselves exposed to malicious code on December 16, 2024, when attackers compromised version 2.2.0 of the popular VS Code extension. The incident, which lasted approximately three hours before detection, represents one of the most significant supply chain attacks targeting AI development tools to date.

Attack Timeline and Technical Details

The compromise occurred when attackers gained access to the publisher account credentials for Cline’s VS Code Marketplace listing. Between 4:47 AM and 7:52 AM UTC, the malicious version 2.2.0 replaced the legitimate extension, injecting code designed to exfiltrate environment variables, API keys, and authentication tokens from developer machines.

Security researchers at Snyk identified the malicious payload within the extension’s activation scripts. The code specifically targeted credentials for OpenAI, Anthropic, Google Cloud, and AWS services—platforms commonly used alongside Cline for AI-assisted development. The exfiltrated data was transmitted to a command-and-control server at https://api-collector-x7k9.onrender.com before the extension proceeded with normal operation, making detection difficult for casual users.

Cline’s development team responded by immediately revoking the compromised publisher credentials and releasing version 2.2.1 as a clean replacement. VS Code’s automatic update mechanism pushed the patched version to most users within hours, though manual intervention was required for offline installations.

Impact on Development Workflows

The attack specifically targeted Cline’s position in the AI development stack. As an autonomous coding assistant that operates within VS Code, Cline requires access to various API credentials to function. Developers typically store these credentials in environment variables or configuration files—exactly what the malicious code harvested.

Organizations using Cline in production environments faced immediate security audits. The compromised credentials potentially granted attackers access to AI model APIs, cloud infrastructure, and version control systems. Several companies reported unauthorized API usage charges in the days following the attack, suggesting the stolen credentials were actively exploited.

The incident also highlighted risks in the VS Code extension ecosystem. Unlike traditional software distribution channels with extensive review processes, extensions can be updated rapidly with minimal oversight. While this enables quick bug fixes and feature releases, it creates opportunities for supply chain attacks when publisher accounts are compromised.

Mitigation and Recovery Steps

Developers who installed Cline between December 16 at 4:47 AM and 7:52 AM UTC needed to take immediate action. The recommended response included rotating all API keys and authentication tokens accessible from the development environment, reviewing cloud service logs for unauthorized access, and checking for unexpected API usage or resource consumption.

For teams using Cline in continuous integration pipelines, the attack necessitated broader security reviews. Many organizations implemented additional safeguards, including restricting extension auto-updates, requiring security team approval for new extension versions, and isolating development environments from production credentials.

The Cline project has since implemented multi-factor authentication for all publisher accounts and established a code signing process for future releases. The team also published checksums for verified versions at https://github.com/cline/cline/releases, allowing developers to validate extension integrity before installation.

Broader Security Implications

This attack demonstrates how AI coding assistants have become high-value targets for credential theft. Unlike traditional development tools, AI assistants often require access to multiple cloud services simultaneously, making them attractive entry points for attackers seeking broad access to development infrastructure.

The incident also raises questions about trust models in AI-assisted development. Developers grant these tools extensive permissions—access to codebases, environment variables, and network connections—based on the assumption that the tools themselves are secure. When that assumption breaks down, the blast radius extends far beyond a single compromised application.

Security experts recommend treating AI coding assistants with the same scrutiny as other critical infrastructure components. This includes monitoring extension updates, implementing credential rotation policies, and using dedicated API keys with minimal necessary permissions rather than sharing production credentials with development tools.

The Cline supply chain attack serves as a reminder that the convenience of AI-powered development tools comes with security responsibilities that extend beyond traditional software development practices.