In yet another software supply chain attack, the open-source, artificial intelligence (AI)-powered coding assistant Cline CLI was updated to stealthily install OpenClaw, a self-hosted autonomous AI agent that has become exceedingly popular in the past few months.
“On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0,” the maintainers of the Cline package said in an advisory. “The published package contains a modified package.json with an added postinstall script: ‘postinstall”: “npm install -g openclaw@latest.'”
As a result, this causes OpenClaw to be installed on the developer’s machine when Cline version 2.3.0 is installed. Cline said no additional modifications were introduced to the package and there was no malicious behavior observed. However, it noted that the installation of OpenClaw was not authorized or intended.
The supply chain attack affects all users who installed the Cline CLI package published on npm, specifically version 2.3.0, during an approximately eight-hour window between 3:26 a.m. PT and 11:30 a.m. PT on February 17, 2026. The incident does not impact Cline’s Visual Studio Code (VS Code) extension and JetBrains plugin.
To mitigate the unauthorized publication, Cline maintainers have released version 2.4.0. Version 2.3.0 has since been deprecated and the compromised token has been revoked. Cline also said the npm publishing mechanism has been updated to support OpenID Connect (OIDC) via GitHub Actions.
In a post on X, the Microsoft Threat Intelligence team said it observed a “small but noticeable uptick” in OpenClaw installations on February 17, 2026, as a result of the supply chain compromise of the Cline CLI package. According to StepSecurity, the compromised Cline package was downloaded roughly 4,000 times during the eight-hour stretch.
Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.
“Overall impact is considered low, despite high download counts: OpenClaw itself is not malicious, and the installation does not include the installation/start of the Gateway daemon,” Endor Labs researcher Henrik Plate said.
“Still, this event emphasizes the need for package maintainers to not only enable trusted publishing, but also disable publication through traditional tokens – and for package users to pay attention to the presence (and sudden absence) of corresponding attestations.”
Leveraging Clinejection to Leak Publication Secrets
While it’s currently not clear who is behind the breach of the npm package and what their end goals were, it comes after security researcher Adnan Khan discovered that attackers could steal the repository’s authentication tokens through prompt injection by taking advantage of the fact that it is configured to automatically triage any incoming issue raised on GitHub.
“When a new issue is opened, the workflow spins up Claude with access to the repository and a broad set of tools to analyze and respond to the issue,” Khan explained. “The intent: automate first-response to reduce maintainer burden.”
But a misconfiguration in the workflow meant that it gave Claude excessive permissions to achieve arbitrary code execution within the default branch. This aspect, combined with a prompt injection embedded within the GitHub issue title, could be exploited by an attacker with a GitHub account to trick the AI agent into running arbitrary commands and compromise production releases.
This shortcoming, which builds upon PromptPwnd, has been codenamed Clinejection. It was introduced in a source code commit made on December 21, 2025. The attack chain is outlined below –
- Prompt Claude to run arbitrary code in issue triage workflow
- Evict legitimate cache entries by filling the cache with more than 10GB of junk data, triggering GitHub’s Least Recently Used (LRU) cache eviction policy
- Set poisoned cache entries matching the nightly release workflow’s cache keys
- Wait for the nightly publish to run at around 2 a.m. UTC and trigger on the poisoned cache entry
“This would allow an attacker to obtain code execution in the nightly workflow and steal the publication secrets,” Khan noted. “If a threat actor were to obtain the production publish tokens, the result would be a devastating supply chain attack.”
“A malicious update pushed through compromised publication credentials would execute in the context of every developer who has the extension installed and set to update automatically.”
In other words, the attack sequence employs GitHub Actions cache poisoning to pivot from the triage workflow to a highly privileged workflow, such as the Publish Nightly Release and Publish NPM Nightly workflows, and steal the nightly publication credentials, which have the same access as those used for production releases.
As it turns out, this is exactly what happened, with the unknown threat actor weaponizing an active npm publish token (referred to as NPM_RELEASE_TOKEN or NPM_TOKEN) to authenticate with the Node.js registry and publish Cline version 2.3.0.
“We have been talking about AI supply chain security in theoretical terms for too long, and this week it became an operational reality,” Chris Hughes, VP of Security Strategy at Zenity, said in a statement shared with The Hacker News. “When a single issue title can influence an automated build pipeline and affect a published release, the risk is no longer theoretical. The industry needs to start recognizing AI agents as privileged actors that require governance.”
