A supply chain attack targeting the popular AI coding assistant Cline resulted in the silent installation of OpenClaw on approximately 4,000 developer systems, highlighting the growing security challenges surrounding AI agent frameworks.
What Happened
On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to release Cline CLI version 2.3.0 with a malicious postinstall script: npm install -g openclaw@latest. The compromised package was available for approximately eight hours before being deprecated at 11:30 AM PT.
How the Token Was Stolen
Security researcher Adnan Khan had previously disclosed a vulnerability dubbed "Clinejection," which demonstrated how prompt injection could exploit Cline’s auto-triage GitHub workflow to steal authentication tokens. The attacker leveraged GitHub Actions cache poisoning to pivot from a low-privilege triage workflow to the nightly publish workflow, gaining access to the npm token.
Impact
The attack affected all users who installed Cline CLI v2.3.0 from npm during the 8-hour window. Importantly, the VS Code extension and JetBrains plugin were not affected — only the CLI package was compromised.
Response
- Released version 2.4.0 as a clean replacement.
- Deprecated version 2.3.0 and revoked the compromised token.
- Upgraded the npm publishing mechanism to support OIDC via GitHub Actions, eliminating long-lived tokens.
Affected users are advised to update to Cline v2.4.0 and check for unexpected global OpenClaw installations. The incident underscores the importance of supply chain security in the AI tooling ecosystem.