> Step 2: The AI bot executes arbitrary code. Claude interpreted the injected instruction as legitimate and ran npm install pointing to the attacker's fork - a typosquatted repository (glthub-actions/cline, note the missing 'i' in 'github'). The fork's package.json contained a preinstall script that fetched and executed a remote shell script.
Even leaving aside the security nightmare of giving an LLM unrestricted access on your repo, you'd think the bots would be GOOD at spotting small details like typosquatted domains.
According to another comment, the title exploits GitHub's forking feature to point at a commit which appeared to be in `github-actions/cline` but which instead invisibly pointed to the typo-squatted repository.
Even leaving aside the security nightmare of giving an LLM unrestricted access on your repo, you'd think the bots would be GOOD at spotting small details like typosquatted domains.