Cline CLI installed openclaw
An unauthorized party used an exposed npm publish token to publish cline@2.3.0. The release was byte-identical to cline@2.2.3 except for a postinstall script that ran npm install -g openclaw@latest.
Story
On the morning of February 17, 2026, an unknown party used an exposed npm publish token to push cline@2.3.0, a release that was byte-identical to the previous version except for a postinstall script that quietly installed a second package called OpenClaw on every machine that ran the upgrade. The package sat on the registry for roughly eight hours before Cline pulled it.
Cline is an AI coding assistant distributed as an npm CLI; its January 2026 download volume was around 418,000, according to Endor Labs. The malicious 2.3.0 release was downloaded about 4,000 times before deprecation, The Register reported.
The access path mattered more than the payload. Researcher Adnan Khan had earlier disclosed a prompt-injection weakness in Cline's AI-driven issue triage workflow, showing how a carefully written GitHub issue could manipulate the automation that held release credentials. Cline removed the workflow, but the long-lived npm token it relied on was never revoked. A different actor later used that token to publish 2.3.0. Endor Labs, which reverse-engineered the tarball (SHA-256 c5b2c21abdf0606a881f293e1cce61d38b90dac0ae647a943d36464530fbf804), noted that OpenClaw is itself a legitimate open-source project and that the compromised release did not start its gateway daemon. The harm was the silent, unrequested global install of software from a trusted package channel.
In a post-mortem, Cline said it deprecated 2.3.0, shipped 2.4.0, revoked the compromised token, and moved npm publication to OIDC provenance through GitHub Actions. The broader takeaway, StepSecurity and others noted, is that AI-driven project automation has effectively become release infrastructure. When prompt injection can reach that automation, ordinary registry credentials are what get left behind.
Affected Artifacts
- Observed
- 2026-02-17
- Compromised Versions
- Fixed
- 2.4.0
- Hashes
-
- sha256:c5b2c21abdf0606a881f293e1cce61d38b90dac0ae647a943d36464530fbf804
- Evidence
- distribution: npmjs.com/package/cline/v/2.3.0, mirror: npmjs.com/package/cline, mirror: github.com/cline/cline, lifecycle_hook: postinstall npm install -g openclaw@latest , +2 more
- Cline's advisory reported the exposure window as February 17, 2026 from 03:26 AM PT to 11:30 AM PT.
- Endor Labs reported the compromised npm tarball SHA-256 as c5b2c21abdf0606a881f293e1cce61d38b90dac0ae647a943d36464530fbf804.
- The Register reported about 4,000 downloads before deprecation; Endor Labs cited 418,545 cline monthly downloads for January 19 to February 17 as broader exposure context.
Incident Context
- Motive
- Unauthorized Software Installation
- Cause
- Compromised Account Credentials
- Transitive
- No
- User Impact
- 4000
External References
- Post Mortem - Unauthorized Cline CLI npm Releasecline.bot
- GHSA-9ppg-jx86-fqw7 - Unauthorized Cline CLI npm releasegithub.com
- Cline Supply Chain Attack Detected - Cline 2.3.0 Silently Installs OpenClawstepsecurity.io
- Clinejection - Compromising Cline's Production Releases just by Prompting an Issue Triageradnanthekhan.com
- AI coding assistant Cline compromised to create more OpenClaw chaostheregister.com
- Supply Chain Attack targeting Cline installs OpenClawendorlabs.com
Source record: oss/attacks/cline/meta.yaml