Attackers exploited compromised credentials to push a malicious npm package update, forcing unintended installations of OpenClaw AI agents on developer systems.
A supply chain attack targeting open-source AI coding assistant Cline CLI resulted in unauthorized installations of OpenClaw software on developer machines this week. According to Cline's maintainers, an unidentified attacker used compromised credentials to publish version 2.3.0 of the cline npm package on February 17. This malicious update automatically installed OpenClaw—a separate AI agent platform—on systems during the Cline installation process.
The compromised package remained available in npm's registry for approximately eight hours between 3:26 AM and 11:30 AM Pacific Time. Maintainers confirmed that OpenClaw itself isn't inherently malicious, but its installation was neither authorized nor intended as part of the Cline package. Security firm StepSecurity recorded approximately 4,000 downloads of the compromised version during this window.
This incident follows recent security research by Adnan Khan, who identified a prompt injection vulnerability in Cline CLI. Khan disclosed his findings to maintainers earlier this month, noting attackers exploited his proof-of-concept research: "A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials." Microsoft observed increased OpenClaw installations correlating with the attack timeframe, confirming the incident's scale.
Cline maintainers have implemented critical security enhancements in response:
- Revoked all compromised publishing tokens
- Migrated npm publishing to OpenID Connect (OIDC) provenance via GitHub Actions
- Released patched versions (2.4.0 and higher) without the OpenClaw dependency
Affected developers must:
- Immediately upgrade to Cline CLI version 2.4.0 or newer
- Check systems for unintended OpenClaw installations using package managers
- Audit environment variables and processes for unexpected AI agent activity
The attack highlights growing supply chain risks in open-source tooling. While OpenClaw's installation appears opportunistic rather than overtly destructive, unauthorized AI agents introduce unpredictable operational and security consequences. Maintainers emphasize credential hardening through OIDC reduces future attack surfaces, though the perpetrator's identity and motives remain unknown.
Documentation:
Comments
Please log in or register to join the discussion