Cline CLI’s npm package was briefly compromised after an attacker used a stolen/compromised npm publish token to publish cline@2.3.0. The unauthorized release modified package.json to add a postinstall script that globally installed openclaw@latest, causing users who installed/updated during the exposure window (reported as ~8 hours) to unknowingly pull in OpenClaw alongside Cline. While OpenClaw was described as a legitimate open-source AI assistant rather than overt malware, it is a high-privilege local agent (including a gateway daemon and integrations such as WhatsApp/Telegram/Slack/Discord/iMessage), and the incident was treated as a supply-chain compromise requiring remediation.
Independent analysis tied the incident to a broader disclosure about prompt-injection-driven supply-chain risk affecting Cline’s ecosystem, including the possibility of stealing repository/auth tokens via prompt injection and subsequent CI/CD or release pipeline abuse (e.g., GitHub Actions leading to token compromise). Detection tooling flagged the anomalous appearance of an install script in a package version that previously had none, and the compromised version was later deprecated/replaced; impacted users were advised to remove the unexpected global install:
npm uninstall -g openclaw

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
On 2026-02-19, follow-on forensic analysis reported high-confidence attribution to a GitHub user named “glthub-actions.” The report said the actor likely exploited the disclosed issue-triage prompt-injection weakness to exfiltrate publishing secrets and publish the unauthorized npm package.
Cline published GitHub Security Advisory GHSA-9ppg-jx86-fqw7 documenting the unauthorized cline@2.3.0 npm publish and providing upgrade and removal guidance for users who may have installed OpenClaw. The advisory described the incident as affecting installs during an approximately eight-hour window.
As part of the same-day response, Cline revoked the compromised npm token and migrated npm publishing to GitHub Actions OIDC provenance. The change was intended to reduce reliance on long-lived static publishing credentials.
Later on 2026-02-17, Cline remediated the incident by deprecating cline@2.3.0 and publishing cline@2.4.0. The maintainers also stated that the VS Code extension and JetBrains plugin were not affected.
The tainted cline@2.3.0 release was available for roughly eight hours on 2026-02-17 before being pulled, with reports estimating about 4,000 downloads during that window. Microsoft and others observed an uptick in OpenClaw installations tied to the unauthorized install script.
On 2026-02-17, an unauthorized party used a compromised npm publish token to release cline@2.3.0 to the npm registry. The package was modified only in package.json to add a postinstall script that globally installed openclaw@latest.
Following the public disclosure, Cline removed the vulnerable workflows and implemented mitigations within about 30 minutes, including credential rotation. Later reporting indicated the rotation was incomplete, leaving at least one publish token still valid.
After reporting no substantive response, Adnan Khan publicly disclosed the vulnerability chain in early February 2026, with multiple sources placing the disclosure on 2026-02-09. The disclosure described how prompt injection against Cline’s issue-triage automation could lead to GitHub Actions compromise and token theft.
Security researcher Adnan Khan said he privately contacted Cline starting on 2026-01-01 about a supply-chain vulnerability involving prompt injection in Cline’s AI-powered GitHub Actions workflows. The reported issue could enable code execution, cache poisoning, and theft of publishing credentials.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethehackernews.com
Open sourcego.theregister.com
Open sourcecsoonline.com
Open sourcembgsec.com
Open sourceendorlabs.com
Open sourcesocket.dev
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.