Attackers compromised Cline CLI's npm publishing token to distribute OpenClaw via a malicious update, exposing critical vulnerabilities in AI-assisted development workflows.
Software supply chain security faced a novel threat when attackers compromised Cline CLI's npm publishing token to distribute OpenClaw, an autonomous AI agent, through a malicious update. The incident reveals how AI integration in development pipelines creates new attack surfaces that require urgent attention.
The Attack Mechanism
On February 17, 2026, attackers published Cline CLI version 2.3.0 to npm with a modified package.json containing a hidden postinstall script: npm install -g openclaw@latest. This caused OpenClaw to automatically install on developer systems during package installation. Microsoft Threat Intelligence observed a "small but noticeable uptick" in OpenClaw installations correlating with the attack window.
"The published package contains a modified package.json with an added postinstall script," confirmed Cline maintainers in their security advisory. The unauthorized version remained available for approximately eight hours before detection, during which StepSecurity recorded about 4,000 downloads.
Clinejection: The Root Cause
The breach stemmed from a vulnerability dubbed "Clinejection" by researcher Adnan Khan. Cline's GitHub repository used Claude AI to automatically triage issues, but misconfigured permissions allowed:
- Prompt injection via GitHub issue titles
- Arbitrary command execution in the default branch
- GitHub Actions cache poisoning
- Theft of npm publication credentials
"This would allow an attacker to obtain code execution in the nightly workflow and steal the publication secrets," Khan explained. "A malicious update pushed through compromised publication credentials would execute in every developer environment with automatic updates enabled."
Impact Assessment and Mitigation
While OpenClaw itself isn't malicious, Endor Labs researcher Henrik Plate notes: "The installation does not include the installation/start of the Gateway daemon. Still, this event emphasizes the need for package maintainers to not only enable trusted publishing, but also disable publication through traditional tokens."
Cline maintainers responded by:
- Deprecating version 2.3.0
- Releasing patched version 2.4.0
- Revoking compromised tokens
- Implementing OpenID Connect (OIDC) via GitHub Actions
Affected developers should:
- Update to Cline CLI 2.4.0 immediately
- Check systems for unexpected OpenClaw installations
- Remove OpenClaw if not intentionally deployed
Broader Implications for AI Security
Chris Hughes, VP of Security Strategy at Zenity, warns: "We've been talking about AI supply chain security in theoretical terms for too long. When a single issue title can influence an automated build pipeline, the risk is no longer theoretical. The industry needs to recognize AI agents as privileged actors requiring governance."
This incident demonstrates that AI integration creates novel supply chain risks extending beyond traditional dependency vulnerabilities. Development teams using AI-assisted tooling must implement:
- Strict permission boundaries for AI agents
- Mandatory code signing and attestation
- Real-time monitoring for unexpected dependencies
- Prompt injection hardening measures
The OpenClaw GitHub repository maintainers confirmed no malicious modifications were made to their package during this incident.
Comments
Please log in or register to join the discussion