A recent software supply chain incident impacted the open source AI coding assistant Cline CLI, after attackers published a compromised version to the npm registry that silently installed OpenClaw on developer systems.
On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to release cline@2.3.0. The altered package included a modified package.json file containing a postinstall script that executed:
npm install -g openclaw@latest
As a result, developers who installed version 2.3.0 during the exposure window unknowingly installed OpenClaw, a self hosted AI agent that has gained popularity in recent months.
Scope and Impact
The malicious version was available for approximately eight hours, between 3:26 AM PT and 11:30 AM PT on February 17, 2026. During that period, the compromised package was downloaded roughly 4,000 times.
The maintainers clarified that:
- No additional malicious code was inserted into Cline itself
- OpenClaw is not inherently malicious
- The Gateway daemon was not automatically started
The incident did not affect Cline’s Visual Studio Code extension or JetBrains plugin.
To remediate the issue, maintainers deprecated version 2.3.0, revoked the compromised token, and released version 2.4.0. They also upgraded their npm publishing workflow to use OpenID Connect through GitHub Actions.
According to Microsoft Threat Intelligence, there was a noticeable increase in OpenClaw installations on the day of the incident, directly tied to the compromised release.
The Clinejection Attack Chain
Although the identity of the attacker remains unknown, the breach appears linked to a previously disclosed vulnerability chain discovered by security researcher Adnan Khan.
The issue stems from an automated GitHub issue triage workflow that leveraged an AI agent with broad repository permissions. When a new issue was created, the workflow launched Claude with extensive access to repository tools in order to generate automated responses.
A misconfiguration granted excessive privileges, enabling arbitrary code execution within the default branch. By embedding a prompt injection payload in a GitHub issue title, an attacker could trick the AI agent into executing malicious commands.
This technique, dubbed Clinejection, built on earlier research known as PromptPwnd.
The attack chain reportedly involved:
- Forcing Claude to execute arbitrary code in the triage workflow
- Evicting legitimate cache entries by flooding GitHub Actions cache with over 10GB of junk data
- Poisoning cache entries associated with nightly release workflows
- Waiting for the nightly publish job to trigger on the poisoned cache
Through GitHub Actions cache poisoning, attackers pivoted from a low privilege workflow into high privilege publishing pipelines, including nightly release and npm publication processes.
Compromised Publish Token
Investigators believe the attacker ultimately gained access to an active npm publish token, referred to as NPM_RELEASE_TOKEN or NPM_TOKEN. With this credential, the adversary authenticated to the Node.js registry and published Cline version 2.3.0.
The result was a real world demonstration of AI assisted supply chain risk, where automated workflows influenced by prompt injection led to unauthorized package publication.
Security experts emphasize that AI agents embedded into development pipelines must be treated as privileged actors, requiring strict governance, permission scoping, and monitoring.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
