I guess it's somewhat known that you can trivially fake a repo w/a fork like this but it still feels like a bigger security risk than the "this commit comes from another repository" banner gives it credit for:

https://github.com/cline/cline/commit/b181e0

Yes, this has been an issue for so long and GitHub just doesn't care enough to fix it.

There's another way it can be exploited. It's very common to pin Actions in workflows these days by their commit hash like this:

  - uses: actions/checkout@378343a27a77b2cfc354f4e84b1b4b29b34f08c2

But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.

GitHub just doesn't care about security. Actions is a security disaster and has been for over a decade. They would rather spend years migrating to Azure for no reason and have multiple outages a week than do anything anybody cares about.

> But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.

Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store?

Needs to be a fork.

Related: https://trufflesecurity.com/blog/anyone-can-access-deleted-a...

It appears that under their system all forks belong to same repo (I imagine they just make _fork/<forkname> ref under git when there is something forked off main repo) presumably to save on storage. And so accessing a single commit doesn't really care about origin(as finding to which branch(es) commit belongs would be a lot of work)

This trick is also useful for finding code that taken down via DMCA requests! If you have specific commits, you can often still recovery it.

yikes.. there should be the cli equivalent of that warning banner at the very least. combine this with something like gitc0ffee and it's downright dangerous

A YAML linter for it, too. I was appreciating the cron input overlay in the current GitHub Actions VS Code extension. In ghost text beside a cron: 'something' input it gives you a human-readable description. Seems like it could also do a similar thing for actions commit refs, show a simple verification if it corresponds to a tag or not in that repo.

Yeah the way Github connects forks behind the scenes has created so many gotchas like this, I'm sure it's a nightmare to fix at this point but they definitely hold some responsibility here.

I've seen it used to impersonate github themselves and serve backdoored versions of their software (the banner is pretty easy to avoid: link to the readme of the malicious commit with an anchor tag and put a nice big download link in it).

I don't understand, how exactly does `npm install github:cline/cline#b181e0` work?

b181e0 is literally a commit, a few deleted lines. npm could parse that as a legit script ???

In git a commit is a full tree snapshot, even though most commit views only show the diff with the previous commit. npm is using the commit hash as a "version number" and grabbing the full git tree snapshot for that point in time. (Just like in git you can always `git checkout b181e0` to end up in a "detached HEAD" state at that commit's tree. So many developers were doing that unintentionally which is why `git switch` requires the `--detach` flag to checkout the tree at a commit, but the same thing is possible `git switch --detach b181e0`.)

I think it's pointing to a version of the repo, so npm installs the package.json of that version of the repo.

> Seem that github:cline/cline#b181e0 actually pointed to a forked respository with the malicious postinstall script.

This seems to be a much bigger problem here than the fact it's triggered by an AI triage bot.

I have to admit until one second ago I had been assuming if something starts with github:cline/cline it's from the same repo.

It was actually glthub/cline, as per the article, not github/cline.

The original report by the developer, Khan, mentions that github:cline/cline would also work[0].

> github:cline/cline#aaaaaaaa could point to a commit in a fork with a replaced package.json containing a malicious preinstall script.

[0] https://adnanthekhan.com/posts/clinejection/#the-prompt-inje...

What! That completely violates any reasonable expectation of what that could be referring to.

I wonder if npm themselves could mitigate somewhat since it's relying on their GitHub integration?

I doubt Microsoft policies allow a subsidiary of a subsidiary to do things which highlight the shortcomings of the middle subsidiary.

But how it's not secured against simple prompt injection.

I think calling prompt injection 'simple' is optimistic and slightly naive.

The tricky part about prompt injection is that when you concatenate attacker-controlled text into an instruction or system slot, the model will often treat that text as authority, so a title containing 'ignore previous instructions' or a directive-looking code block can flip behavior without any other bug.

Practical mitigations are to never paste raw titles into instruction contexts, treat them as opaque fields validated by a strict JSON schema using a validator like AJV, strip or escape lines that match command patterns, force structured outputs with function-calling or an output parser, and gate any real actions behind a separate auditable step, which costs flexibility but closes most of these attack paths.