Cline CLI 2.3.0 Compromised in npm Supply Chain Attack

By /
cline cli

A supply chain attack has affected developers using Cline CLI, an open-source AI-powered coding assistant. The incident occurred after attackers published a compromised version of the tool to the npm registry, causing an unauthorized installation of OpenClaw on developer systems.

This event highlights growing security risks in modern development workflows, especially as AI tools and automated pipelines become more common.

On February 17, 2026, attackers used a compromised npm publish token to release a malicious update: Cline CLI version 2.3.0. According to the Cline maintainers, the unauthorized package was published at 3:26 AM Pacific Time.

The attackers modified the package.json file to include a post-install script that automatically ran the following command:

npm install -g openclaw@latest

As a result, whenever a developer installed or updated to Cline CLI 2.3.0, OpenClaw was silently installed on their system without permission.

Although OpenClaw itself is not malicious, the installation was unauthorized and unexpected, making this a clear example of a supply chain compromise.

The attack affected users who downloaded Cline CLI version 2.3.0 from npm during an eight-hour window, between 3:26 AM and 11:30 AM PT on February 17, 2026.

Important clarifications:

  • Affected: Cline CLI npm package version 2.3.0

  • Not affected: Cline’s Visual Studio Code extension and JetBrains plugin

Security company StepSecurity estimates that the compromised package was downloaded around 4,000 times during this short period.

The issue was detected quickly. The Cline maintainers took several immediate steps to contain the damage:

  1. Released Cline CLI version 2.4.0, which removes the unauthorized behavior

  2. Deprecated version 2.3.0 so it can no longer be installed

  3. Revoked the compromised npm publish token

  4. Updated the publishing workflow to use OpenID Connect (OIDC) through GitHub Actions, reducing the risk of future token theft

In a public advisory, the maintainers confirmed that no other malicious code was found in the compromised release.

The Microsoft Threat Intelligence team reported a small but noticeable spike in OpenClaw installations on the same day as the attack. This spike directly matched the timeframe when the compromised Cline package was available.

Despite the large number of downloads, security experts believe the overall impact was limited.

Henrik Plate, a researcher at Endor Labs, stated that OpenClaw did not activate any background services or gateway daemons, which significantly reduced risk.

beware

If you installed Cline CLI around February 17, 2026, you should take the following steps:

  • Update to Cline CLI version 2.4.0 or later

  • Check your system for OpenClaw

  • Remove OpenClaw if you did not intentionally install it

  • Review your development environment for unusual changes

Even though OpenClaw is not malicious, any unauthorized software installation should be treated seriously.

Security researcher Adnan Khan revealed a possible attack path that could explain how the npm token was stolen.

The issue involved a GitHub workflow that used an AI model (Claude) to automatically triage GitHub issues. While the goal was to reduce manual workload, a misconfiguration gave the AI agent excessive permissions.

By embedding a prompt injection inside a GitHub issue title, an attacker could:

  • Execute arbitrary commands

  • Poison GitHub Actions cache entries

  • Pivot from a low-privilege workflow into a high-privilege release pipeline

  • Steal npm publishing secrets

This attack technique was named “Clinejection”, building on earlier research known as PromptPwnd.

This incident shows how AI agents can become high-risk actors when given access to sensitive systems.

Chris Hughes, VP of Security Strategy at Zenity, warned that the industry has underestimated these risks:

When a single issue title can influence an automated release pipeline, AI security is no longer theoretical.

If attackers had pushed fully malicious code instead of OpenClaw, the outcome could have been far more damaging—impacting every developer who auto-updates the tool.

  • AI tools must be treated as privileged users

  • npm tokens should be replaced with trusted publishing methods

  • Automated workflows require strict permission boundaries

  • Developers must stay alert to unexpected dependency behavior

The Cline CLI supply chain attack is a strong reminder that modern software security is only as strong as its weakest automation.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Apple Encrypted RCS Messaging and New Security Features in iOS 26.4

Scroll to Top