Unauthorized Update to Cline CLI 2.3.0 Installs OpenClaw on Developer Systems
In a recent software supply chain attack, the open-source, AI-powered coding assistant Cline CLI was compromised to surreptitiously install OpenClaw, a self-hosted autonomous AI agent that has gained significant popularity in recent months.
On February 17, 2026, at 3:26 AM PT, an unauthorized entity exploited a compromised npm publish token to release an update to Cline CLI on the NPM registry, specifically version 2.3.0. This update included a modified `package.json` file with an added post-installation script: `postinstall: npm install -g openclaw@latest`. Consequently, installing Cline version 2.3.0 led to the unintended installation of OpenClaw on developers’ machines.
The Cline maintainers have clarified that no additional modifications were made to the package, and no malicious behavior was observed. However, the installation of OpenClaw was neither authorized nor intended.
Impact and Response
This supply chain attack affected users who installed the Cline CLI package version 2.3.0 from the npm registry during an eight-hour window between 3:26 AM PT and 11:30 AM PT on February 17, 2026. Notably, Cline’s Visual Studio Code (VS Code) extension and JetBrains plugin were not impacted.
In response to the incident, the Cline maintainers have taken the following actions:
– Released version 2.4.0 to mitigate the unauthorized publication.
– Deprecated version 2.3.0.
– Revoked the compromised token.
– Updated the npm publishing mechanism to support OpenID Connect (OIDC) via GitHub Actions.
The Microsoft Threat Intelligence team observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, attributed to this supply chain compromise. According to StepSecurity, the compromised Cline package was downloaded approximately 4,000 times during the eight-hour period.
Recommendations for Users
Users are advised to:
– Update to the latest version of Cline CLI.
– Check their systems for any unexpected installations of OpenClaw.
– Remove OpenClaw if it is not required.
Endor Labs researcher Henrik Plate noted that the overall impact is considered low, despite the high download counts. OpenClaw itself is not malicious, and its installation does not include the initiation of the Gateway daemon. However, this event underscores the necessity for package maintainers to enable trusted publishing and disable publication through traditional tokens. Users should also be vigilant about the presence (and sudden absence) of corresponding attestations.
Exploitation of Clinejection to Leak Publication Secrets
The breach’s perpetrators and their objectives remain unclear. However, security researcher Adnan Khan discovered that attackers could steal the repository’s authentication tokens through prompt injection. This vulnerability exploited the repository’s configuration to automatically triage any incoming issue raised on GitHub.
When a new issue was opened, the workflow initiated Claude with access to the repository and a broad set of tools to analyze and respond to the issue. The intent was to automate first-response to reduce maintainer burden.
However, a misconfiguration in the workflow granted Claude excessive permissions, allowing arbitrary code execution within the default branch. Combined with a prompt injection embedded within the GitHub issue title, an attacker with a GitHub account could trick the AI agent into running arbitrary commands and compromise production releases.
This vulnerability, building upon PromptPwnd, has been codenamed Clinejection. It was introduced in a source code commit made on December 21, 2025.
Attack Chain Overview
The attack chain is outlined as follows:
1. Prompt Claude to run arbitrary code in the issue triage workflow.
2. Evict legitimate cache entries by filling the cache with over 10GB of junk data, triggering GitHub’s Least Recently Used (LRU) cache eviction policy.
3. Set poisoned cache entries matching the nightly release workflow’s cache keys.
4. Wait for the nightly publish to run at around 2 AM UTC and trigger on the poisoned cache entry.
This sequence allowed an attacker to obtain code execution in the nightly workflow and steal the publication secrets. If a threat actor were to obtain the production publish tokens, the result would be a devastating supply chain attack.
A malicious update pushed through compromised publication credentials would execute in the context of every developer who has the extension installed and set to update automatically.
In essence, the attack sequence employs GitHub Actions cache poisoning to pivot from the triage workflow to a highly privileged workflow, such as the Publish Nightly Release and Publish NPM Nightly workflows, and steal the nightly publication credentials, which have the same access as those used for production releases.
This incident highlights the critical need for robust security measures in software development workflows, especially when integrating AI agents. Chris Hughes, VP of Security Strategy at Zenity, emphasized that the risk is no longer theoretical when a single issue title can influence an automated build pipeline and affect a published release. The industry must recognize AI agents as privileged actors that require governance.
