A suspected npm supply-chain compromise affected the widely used autonomous coding agent CLI cline when version cline@2.3.0 was published with a malicious postinstall script that silently installed a secondary package, openclaw, on systems running npm install cline. StepSecurity reported the release was downloaded roughly 4,000 times before maintainers deprecated it about 8 hours after publication, and noted the release deviated from prior OIDC-based GitHub Actions Trusted Publishing by being manually published by an npm user account—an anomaly consistent with compromised credentials or a hijacked release process.
In parallel, Adversa AI described SecureClaw, an open-source security plugin + skill intended to add auditing and rule-based controls to OpenClaw agent environments and to reduce exposure to issues like prompt injection by enforcing controls at the plugin (code) layer rather than relying only on in-context “skill” instructions. While not a direct incident report, the SecureClaw release is contextually relevant because it targets the same OpenClaw ecosystem that was leveraged as the silently installed dependency in the cline incident, underscoring growing security concerns around AI agent tooling, supply-chain risk, and enforceable guardrails for agent permissions and behavior.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
By 2026-02-18, Adversa AI had released SecureClaw as a free open-source project on GitHub to secure OpenClaw-based AI agent environments. The project combines a code-level plugin and an agent skill, with audit checks, hardening modules, behavioral rules, and mappings to OWASP ASI Top 10, MITRE ATLAS, and CoSAI guidance.
The cline supply-chain incident was tracked under GitHub Security Advisory GHSA-9ppg-jx86-fqw7, documenting the malicious package version and remediation guidance. This formalized the issue as a disclosed security advisory.
About eight hours after the malicious release, after roughly 4,000 downloads, maintainers deprecated cline 2.3.0 and later published a clean version through the trusted pipeline. Users were directed to upgrade to version 2.4.0 or later and remove any unintended global installation of openclaw.
On 2026-02-17, StepSecurity detected the malicious cline release and identified indicators including publication by the npm user clinebotorg, deviation from the project's prior GitHub Actions OIDC trusted publishing pattern, and missing npm provenance attestations. The incident was also independently discovered and reported by Adnan Khan.
On 2026-02-17, a suspicious npm release of the cline autonomous coding agent CLI was published as version 2.3.0. The package included a malicious post-install script that silently installed the openclaw package globally, creating a supply-chain risk for developer and CI/CD environments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
helpnetsecurity.com
Open sourcestepsecurity.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.