In yet one more software program provide chain assault, the open-source, synthetic intelligence (AI)-powered coding assistant Cline CLI was up to date to stealthily set up OpenClaw, a self-hosted autonomous AI agent that has turn out to be exceedingly widespread prior to now few months.
“On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0,” the maintainers of the Cline package deal mentioned in an advisory. “The published package contains a modified package.json with an added postinstall script: ‘postinstall”: “npm install -g openclaw@latest.'”
Consequently, this causes OpenClaw to be put in on the developer’s machine when Cline model 2.3.0 is put in. Cline mentioned no extra modifications have been launched to the package deal and there was no malicious habits noticed. Nonetheless, it famous that the set up of OpenClaw was not approved or meant.
The availability chain assault impacts all customers who put in the Cline CLI package deal printed on npm, particularly model 2.3.0, throughout an roughly eight-hour window between 3:26 a.m. PT and 11:30 a.m. PT on February 17, 2026. The incident doesn’t impression Cline’s Visible Studio Code (VS Code) extension and JetBrains plugin.
To mitigate the unauthorized publication, Cline maintainers have launched model 2.4.0. Model 2.3.0 has since been deprecated and the compromised token has been revoked. Cline additionally mentioned the npm publishing mechanism has been up to date to assist OpenID Join (OIDC) through GitHub Actions.
In a put up on X, the Microsoft Risk Intelligence crew mentioned it noticed a “small but noticeable uptick” in OpenClaw installations on February 17, 2026, on account of the availability chain compromise of the Cline CLI package deal. In response to StepSecurity, the compromised Cline package deal was downloaded roughly 4,000 instances in the course of the eight-hour stretch.
Customers are suggested to replace to the most recent model, examine their surroundings for any surprising set up of OpenClaw, and take away it if not required.
“Overall impact is considered low, despite high download counts: OpenClaw itself is not malicious, and the installation does not include the installation/start of the Gateway daemon,” Endor Labs researcher Henrik Plate mentioned.
“Still, this event emphasizes the need for package maintainers to not only enable trusted publishing, but also disable publication through traditional tokens – and for package users to pay attention to the presence (and sudden absence) of corresponding attestations.”
Leveraging Clinejection to Leak Publication Secrets and techniques
Whereas it is at the moment not clear who’s behind the breach of the npm package deal and what their finish targets have been, it comes after safety researcher Adnan Khan found that attackers might steal the repository’s authentication tokens by means of immediate injection by profiting from the truth that it’s configured to robotically triage any incoming concern raised on GitHub.
“When a new issue is opened, the workflow spins up Claude with access to the repository and a broad set of tools to analyze and respond to the issue,” Khan defined. “The intent: automate first-response to reduce maintainer burden.”
However a misconfiguration within the workflow meant that it gave Claude extreme permissions to attain arbitrary code execution throughout the default department. This facet, mixed with a immediate injection embedded throughout the GitHub concern title, may very well be exploited by an attacker with a GitHub account to trick the AI agent into operating arbitrary instructions and compromise manufacturing releases.
This shortcoming, which builds upon PromptPwnd, has been codenamed Clinejection. It was launched in a supply code commit made on December 21, 2025. The assault chain is printed beneath –
- Immediate Claude to run arbitrary code in concern triage workflow
- Evict respectable cache entries by filling the cache with greater than 10GB of junk information, triggering GitHub’s Least Just lately Used (LRU) cache eviction coverage
- Set poisoned cache entries matching the nightly launch workflow’s cache keys
- Anticipate the nightly publish to run at round 2 a.m. UTC and set off on the poisoned cache entry
“This would allow an attacker to obtain code execution in the nightly workflow and steal the publication secrets,” Khan famous. “If a threat actor were to obtain the production publish tokens, the result would be a devastating supply chain attack.”
“A malicious update pushed through compromised publication credentials would execute in the context of every developer who has the extension installed and set to update automatically.”
In different phrases, the assault sequence employs GitHub Actions cache poisoning to pivot from the triage workflow to a extremely privileged workflow, such because the Publish Nightly Launch and Publish NPM Nightly workflows, and steal the nightly publication credentials, which have the identical entry as these used for manufacturing releases.
Because it seems, that is precisely what occurred, with the unknown risk actor weaponizing an energetic npm publish token (known as NPM_RELEASE_TOKEN or NPM_TOKEN) to authenticate with the Node.js registry and publish Cline model 2.3.0.
“We have been talking about AI supply chain security in theoretical terms for too long, and this week it became an operational reality,” Chris Hughes, VP of Safety Technique at Zenity, mentioned in a press release shared with The Hacker Information. “When a single issue title can influence an automated build pipeline and affect a published release, the risk is no longer theoretical. The industry needs to start recognizing AI agents as privileged actors that require governance.”
