Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

In yet another software attack, the open-source, artificial intelligence (AI)-powered coding assistant Cline CLI was updated to include OpenClaw, an independent AI agent that became popular a few months ago.

“On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to the Cline CLI in the NPM registry: cline@2.3.0,” the maintainers of the Cline package said in an advisory. “The published package contains a modified package.json with an additional post install script: ‘postinstall”: “npm install -g openclaw@latest.”

Consequently, this causes OpenClaw to be installed on the developer’s machine when Cline version 2.3.0 is installed. Cline said no additional changes were introduced in the package and no misconduct was noted. However, it noted that the installation of OpenClaw was neither authorized nor intended.

The supply chain attack affects all users who installed a Cline CLI package published on npm, specifically version 2.3.0, during an eight-hour window between 3:26 am PT and 11:30 am PT on February 17, 2026. The incident does not affect Cline’s Visual Studio Code (VS Code) extension and JetBrains.

To reduce unauthorized publication, the Cline maintainers have released version 2.4.0. Version 2.3.0 has since been withdrawn and the vulnerable token has been withdrawn. Cline also said that the npm publishing method has been updated to support OpenID Connect (OIDC) via GitHub Actions.

In a post on X, the Microsoft Threat Intelligence team said it saw a “small but significant uptick” in OpenClaw installations on February 17, 2026, due to the downgrading of the Cline CLI package supply chain. According to StepSecurity, the vulnerable Cline package was downloaded about 4,000 times during an eight-hour stretch.

Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not needed.

“The overall impact is considered low, despite the high download numbers: OpenClaw itself is not malicious, and the installation does not involve installing/starting the Gateway daemon,” said Endor Labs researcher Henrik Plate.

“Nevertheless, this event underscores the need for package maintainers to not only allow trusted publishing, but also disable publishing with traditional tokens – and for package users to pay attention to the presence (and sudden absence) of corresponding proofs.”

Using Clinejection to Leak Publishing Secrets

While it is not yet clear who created the npm package breach and what their end goals were, it comes after security researcher Adnan Khan discovered that attackers could steal the repository’s authentication tokens through rapid injection by taking advantage of the fact that it is configured to automatically check any incoming issue raised on GitHub.

“When a new issue is opened, the workflow integrates Claude with access to the repository and a comprehensive set of tools to analyze and respond to the issue,” Khan explained. “The goal: change the initial response to reduce caregiver burden.”

But a misconfiguration in the workflow meant that it gave Claude excessive permissions to access arbitrary code releases within the default branch. This feature, combined with a quick injection embedded within a GitHub issue topic, can be exploited by an attacker with a GitHub account to trick the AI ​​agent into executing arbitrary commands and risking a production release.

This flaw, which builds on PromptPwnd, is codenamed Clinejection. It was introduced with a source code commit made on December 21, 2025. The attack chain is presented below –

• Notify Claude that he used the wrong code in the workflow problem triage
• Remove valid repository entries by filling the repository with more than 10GB of junk data, which triggers GitHub’s Less Recently Used (LRU) repository removal policy
• Set toxic cache entries such as cache keys for nightly workloads
• Expect the nightly publishing to start around 2am UTC and start entering the poisoned cache.

“This will allow an attacker to use the code in night operations and steal the secrets of the publication,” Khan noted. “If a threat actor were to obtain production publishing tokens, the result would be a devastating attack on the supply chain.”

“A malicious update pushed with compromised publication credentials will run in the context of every developer that has the extension installed and set to update automatically.”

In other words, the attack sequence uses GitHub Actions repository poison to bypass three workflows to high-privilege workflows, such as Publish Nightly Release and Publish NPM Nightly workflows, and steal nightly publishing credentials, which have the same access as those used for production releases.

As it turns out, this is what happened, an unknown malicious actor used a valid npm release token (referred to as NPM_RELEASE_TOKEN or NPM_TOKEN) to verify the Node.js registration and publish the Cline 2.3.0 version.

“We’ve been talking about AI chain security in terms of statistics for a very long time, and this week it became a reality,” said Chris Hughes, VP of Security Strategy at Zenity, in a statement shared with Hacker News. “When the topic of a single issue can influence the automated build path and affect published releases, the risk is no longer a theory. The industry needs to start recognizing AI agents as special actors that need to be managed.”