In yet another software supply chain attack, the open-source artificial intelligence (AI)-powered coding assistant Cline CLI was updated to secretly install OpenClaw, a self-hosted autonomous AI agent that has become extremely popular over the past few months.
“On February 17, 2026 at 3:26 AM PT, an unauthorized party published an update to the Cline CLI on the NPM registry cline@2.3.0 using a compromised npm public token,” the Cline package administrator said in an advisory. “The published package contains a modified package.json with the postinstall script added: ‘postinstall’: “npm install -g openclaw@latest.”
As a result, when Cline version 2.3.0 is installed, OpenClaw is installed on the developer’s machine. Klein said no additional changes were made to the package and no malicious behavior was observed. However, we pointed out that installing OpenClaw is not authorized or intended.
This supply chain attack affects all users who installed the Cline CLI package published on npm, specifically version 2.3.0, for approximately 8 hours from 3:26 AM PT to 11:30 AM PT on February 17, 2026. This incident does not affect Cline’s Visual Studio Code (VS Code) extension and JetBrains plugin.
To mitigate unauthorized exposure, Cline maintainers have released version 2.4.0. Version 2.3.0 has since been deprecated and compromised tokens have been revoked. Cline also said that the npm publishing mechanism has been updated to support OpenID Connect (OIDC) via GitHub Actions.
The Microsoft Threat Intelligence team said in a post to According to StepSecurity, the compromised Cline package was downloaded approximately 4,000 times in an eight-hour period.
Users are encouraged to update to the latest version, check their environments for unexpected installations of OpenClaw, and remove them if they are not needed.
“Despite the high number of downloads, we believe the overall impact is low. OpenClaw itself is not malicious, and the installation does not include installing/starting a gateway daemon,” said Endor Labs researcher Henrik Plate.
“Nevertheless, this event highlights the need for package administrators to not only enable trusted publishing, but also to disable publishing via traditional tokens, and for package users to be aware of the presence (and sudden absence) of corresponding certificates.”
Leaking publication secrets using cryinjection
It’s not currently clear who was behind the npm package compromise or what their ultimate goal was, but it comes after security researcher Adnan Khan discovered that attackers could take advantage of the fact that GitHub is configured to automatically triage issues raised on GitHub and steal repository authentication tokens through prompt injection.
“When a new issue is opened, the workflow launches the cloud and provides access to a repository and a broad set of tools to analyze and respond to the issue,” Khan explained. “Purpose: Automate initial response and reduce the burden on maintainers.”
However, a misconfiguration in the workflow gave Claude excessive privileges to execute arbitrary code within the default branch. This aspect, combined with prompt injection embedded in GitHub issue titles, could be exploited by an attacker with a GitHub account to trick an AI agent into executing arbitrary commands and compromise a product release.
This drawback is built on PromptPwnd and is codenamed Clinejection. This was introduced in a source code commit made on December 21, 2025. The attack chain is outlined below:
Instruct Claude to run arbitrary code in the issue triage workflow Fill the cache with more than 10GB of junk data and trigger GitHub’s least recently used (LRU) cache eviction policy to remove legitimate cache entries Set a tainted cache entry that matches the nightly release workflow’s cache key Wait for the nightly publish to run around 2:00 AM UTC and remove the tainted cache trigger on entry
“This allows an attacker to execute code in a nightly workflow and steal publication secrets,” Khan pointed out. “If an attacker were to obtain the production public token, the result would be a devastating supply chain attack.”
“A malicious update pushed via compromised public credentials will run in the context of any developer who has the extension installed and set to update automatically.”
In summary, this attack sequence uses cache poisoning in GitHub Actions to pivot from a triage workflow to a highly privileged workflow, such as a Publish Nightly Release workflow or a Publish NPM Nightly workflow, and steal nightly publication credentials with the same access rights used for production releases.
As it turns out, this is exactly what happened, and an unknown attacker armed with an active npm publish token (referred to as NPM_RELEASE_TOKEN or NPM_TOKEN) authenticated with the Node.js registry and published Cline version 2.3.0.
“For too long we have been talking about AI supply chain security from a theoretical perspective, but this week it became an operational reality,” Chris Hughes, vice president of security strategy at Zenity, said in a statement shared with Hacker News. “When a single issue title can impact automated build pipelines and impact published releases, that risk is no longer theoretical. The industry needs to start recognizing AI agents as privileged actors that require governance.”
Source link
