- The AI-powered Cline CLI npm package was compromised, leading to an unauthorized update that installed the OpenClaw AI agent on developer machines.
- The breach, attributed to a stolen npm publish token, affected around 4,000 downloads over an eight-hour window on February 17, 2026.
- Security researchers link the attack to a prior vulnerability called “Clinejection,” where prompt injection in GitHub issues could steal publishing credentials.
- Maintainers have deprecated the malicious version, revoked the token, and updated their publishing security.
In a significant software supply chain attack, the open-source Cline CLI coding assistant was compromised on February 17, 2026, leading to an unauthorized update that secretly installed OpenClaw on developers’ systems. The attack, spotted by the Microsoft Threat Intelligence team, resulted from a stolen npm publish token used to release a malicious version, according to an advisory.
Consequently, the package’s `postinstall` script forced an automatic OpenClaw installation for anyone downloading version 2.3.0. StepSecurity data shows roughly 4,000 downloads occurred during the eight-hour compromise window before the package was deprecated.
Meanwhile, researchers traced the breach’s origins to a vulnerability dubbed “Clinejection,” discovered by Adnan Khan. This flaw allowed attackers to use prompt injection on GitHub issues to execute arbitrary commands and steal high-privilege publication tokens.
This method could poison a repository’s build cache and pivot to a release workflow, exactly what happened to obtain the npm token. The stolen credential was then used to authenticate and publish the compromised package to the registry.
However, Endor Labs researcher Henrik Plate assessed the overall impact as low, noting “OpenClaw itself is not malicious.” The incident did not affect Cline’s VS Code extension or JetBrains plugin.
Consequently, maintainers have revoked the token, deprecated version 2.3.0, and released a secure version 2.4.0. They also updated their npm publishing to use more secure OpenID Connect authentication via GitHub Actions.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
