A software supply chain compromise has impacted users of the open source AI powered coding assistant Cline CLI after attackers published a malicious update to the npm registry that triggered the installation of OpenClaw on developer systems. On February 17, 2026, at 3:26 a.m. PT, an unauthorized actor used a compromised npm publish token to release cline version 2.3.0. According to an advisory issued by the Cline maintainers, the published package contained a modified package.json file that introduced a postinstall script instructing systems to execute npm install globally for openclaw at the latest version. As a result, developers who installed Cline CLI version 2.3.0 during the exposure window also had OpenClaw installed automatically on their machines without prior authorization.
The maintainers clarified that no additional malicious modifications were introduced into the package and no harmful behavior was observed beyond the unintended installation. However, they emphasized that the inclusion of the OpenClaw installation script was neither authorized nor part of the intended release. The incident affected users who downloaded Cline CLI version 2.3.0 between 3:26 a.m. PT and 11:30 a.m. PT on February 17, an exposure period of roughly eight hours. The compromise did not impact the Cline Visual Studio Code extension or the JetBrains plugin. To address the issue, the team deprecated version 2.3.0, revoked the compromised publish token, and released version 2.4.0. In addition, the npm publishing workflow has been updated to support OpenID Connect authentication through GitHub Actions to strengthen release security controls.
Microsoft Threat Intelligence reported a small but noticeable increase in OpenClaw installations on February 17 that correlated with the supply chain event. Data from StepSecurity indicated that the compromised package was downloaded approximately 4,000 times during the affected period. Users have been advised to upgrade to the latest version of Cline CLI, review their systems for any unexpected OpenClaw installations, and remove the software if it was not intentionally deployed. Endor Labs researcher Henrik Plate assessed the overall impact as low, noting that OpenClaw itself is not malicious and that the installation did not automatically start its gateway daemon. Even so, he highlighted the importance of enabling trusted publishing mechanisms and disabling traditional token based release methods, while encouraging users to monitor package attestations for sudden changes.
The breach follows research by security analyst Adnan Khan, who previously identified a vulnerability dubbed Clinejection that could allow attackers to exploit GitHub issue triage workflows configured to use AI agents. In this scenario, an automated workflow launched an AI model with broad repository access to analyze and respond to newly opened issues. A misconfiguration granted excessive permissions, enabling arbitrary code execution within the default branch when combined with a prompt injection embedded in a GitHub issue title. The attack chain involved manipulating GitHub Actions cache behavior, evicting legitimate cache entries, poisoning cache keys associated with nightly release workflows, and ultimately obtaining execution in privileged publishing workflows. This pathway could allow threat actors to steal npm publication credentials and push unauthorized releases. Investigators believe a similar mechanism enabled the misuse of an active npm release token to publish Cline version 2.3.0, highlighting the operational risks posed by AI integrated development pipelines and the need for stronger governance around automated agents with production level access.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
