The open-source AI coding assistant Cline has faced two serious security incidents affecting developers: a supply-chain compromise of its npm distribution and a critical local WebSocket vulnerability that can lead to remote code execution. In the npm incident, an unauthorized actor published cline@2.3.0, which silently installed the OpenClaw package on user systems through the Cline CLI installation path. Maintainers said the malicious release was available for roughly eight hours, revoked the compromised publishing token, shifted npm publishing to OIDC provenance via GitHub Actions, and urged users who installed the affected version to upgrade to 2.4.0 or later and inspect their environments. Reporting cited roughly 4,000 downloads before the package was deprecated, with Microsoft also observing increased OpenClaw installations linked to the Cline installer.
Separately, GitHub disclosed CVE-2026-44211, a 9.7-severity cross-origin WebSocket hijacking flaw in the kanban npm package used by Cline. The issue stems from a local server on 127.0.0.1:3484 accepting unauthenticated cross-origin WebSocket connections without validating the Origin header, exposing endpoints including /api/runtime/ws, /api/terminal/io, and /api/terminal/control. A developer who visits a malicious website while Cline is running can have workspace paths, task data, git details, and AI chat messages exfiltrated; attackers can also inject prompts into active agent terminals to achieve arbitrary code execution or terminate sessions for denial of service on macOS, Linux, and Windows. At the time of disclosure, recommended mitigations included adding Origin validation, randomized session tokens, and authentication for terminal WebSocket access.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Further reporting identified the Cline Kanban issue as CVE-2026-44211 with a reported CVSS score of 9.7, affecting macOS, Linux, and Windows systems. At the time of reporting, no patch was available, and recommended mitigations included validating Origin headers and requiring randomized session tokens or authentication for WebSocket connections.
A GitHub security advisory disclosed a cross-origin WebSocket hijacking vulnerability in the kanban npm package used by Cline, affecting version 0.1.59 as tested. The advisory described unauthenticated localhost WebSocket endpoints that could let a malicious website exfiltrate data, inject prompts for remote code execution, and stop tasks for denial of service.
Public reporting said the compromised cline@2.3.0 package may have been downloaded about 4,000 times before deprecation, with Microsoft observing a small increase in OpenClaw installations tied to the Cline installer. The responsible actor and motive remained unknown.
After discovering the compromise, Cline maintainers revoked the compromised npm token and moved publishing to OIDC provenance through GitHub Actions. They advised affected users to upgrade to version 2.4.0 or later and inspect their environments for unauthorized OpenClaw installation.
An unauthorized party compromised the npm publishing process for the open-source Cline CLI and published version 2.3.0, which silently installed the OpenClaw package on users' machines. The malicious package was available for about eight hours on February 17, 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcegithub.com
Open sourcetheregister.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.