Cline CLI Compromised: Hijacked npm Package Silently Installed OpenClaw on Developer Machines
A compromised npm publishing token allowed an attacker to push a malicious version of the Cline CLI that silently installed OpenClaw via a postinstall script. The incident was caught and fixed within hours.
Another week, another npm supply chain attack - but this one has an unusual twist. A compromised publishing token was used to push a malicious version of the Cline CLI that silently installed OpenClaw, the viral open-source AI agent, on every machine that ran npm install.
The incident, disclosed yesterday via a GitHub security advisory, was discovered by security researcher AdnaneKhan and patched within hours. But it raises fresh questions about the security of AI developer tooling at a time when supply chain attacks against the npm ecosystem are accelerating.
What Happened
On February 17, an unauthorized party used a compromised npm publishing token to release [email protected] - a version that had never been built by the Cline team. The attacker made a single modification to package.json, adding a postinstall hook:
"postinstall": "npm install -g openclaw@latest"
That is it. No other files were changed. The CLI binary (dist/cli.mjs) and all other package contents were identical to the legitimate [email protected] release. Anyone who installed or upgraded to version 2.3.0 would have unknowingly had OpenClaw installed globally on their system.
The Cline team published a corrected version 2.4.0 at 11:23 AM PT the same day and deprecated the malicious 2.3.0 at 11:30 AM. The advisory rates the severity as "low" because the injected package - OpenClaw itself - is legitimate open-source software, not malware. But the installation was unauthorized and unintended, and the fact that an attacker had a valid publishing token is concerning regardless of what they chose to install with it.
Why It Matters
Cline is one of the most popular AI coding agents available, trusted by over 4 million developers. It runs as an autonomous agent in VS Code and the terminal, capable of creating and editing files, executing commands, and browsing the web. A compromised publishing token for a package with that kind of reach is a serious security event, even if the payload in this case was benign.
The attacker chose to install OpenClaw - Peter Steinberger's open-source AI assistant that recently went viral with over 200,000 GitHub stars. OpenClaw is not malware. But the postinstall script could just as easily have installed a credential stealer, a cryptominer, or a reverse shell. The mechanism is the same.
A Pattern Emerging
This incident fits into a broader and accelerating pattern of supply chain attacks targeting the npm ecosystem and AI tooling specifically.
The Shai-Hulud campaign (September-November 2025) compromised over 500 npm packages through a self-replicating worm that stole credentials and, in its 2.0 iteration, attempted to destroy victims' home directories when exfiltration failed. The attack originated from unrotated tokens left over from the earlier s1ngularity breach.
The ClawHavoc attack (January 2026) planted 341 malicious skills on OpenClaw's ClawHub marketplace, deploying the Atomic Stealer infostealer on macOS and credential-stealing trojans on Windows. The malicious skills impersonated popular tools and used typosquatting to catch accidental installs.
The Nx compromise (August 2025) showed that attackers are specifically targeting AI coding tools. The malicious payload in the Nx build system package weaponized local AI coding agents - including Claude Code, Gemini, and Amazon Q - using them for reconnaissance and data exfiltration. It was one of the first documented cases of malware leveraging AI assistant CLIs as an attack vector.
PackageGate (January 2026) disclosed six zero-day vulnerabilities affecting npm, pnpm, vlt, and Bun that undermined the primary defenses recommended after Shai-Hulud.
The npm ecosystem has become the single most targeted supply chain attack surface in software development. And AI developer tools - which often run with elevated permissions, execute arbitrary code, and have access to API keys and credentials - are increasingly the payload of choice.
What Developers Should Do
If you installed [email protected], the advisory recommends:
- Update to version 2.4.0 or later (
npm install -g cline@latest) - Uninstall OpenClaw if you did not install it intentionally (
npm uninstall -g openclaw) - Review your environment for any unexpected globally installed packages (
npm list -g --depth=0)
More broadly, this is a reminder that npm install is code execution. Postinstall scripts run automatically with the permissions of the installing user. Tools like Socket can flag suspicious postinstall scripts before they run, and pnpm v10 now disables automatic postinstall script execution by default - a change the rest of the npm ecosystem would be wise to adopt.
For teams running AI coding agents in CI/CD pipelines or development environments, the message is clear: pin your dependency versions, audit your lock files, enable two-factor authentication on all publishing accounts, and rotate tokens regularly. The next attacker may not be as gentle as this one.
Sources:
- GHSA-9ppg-jx86-fqw7 - Cline GitHub Security Advisory
- OpenClaw Becomes New Target in Rising Wave of Supply Chain Poisoning Attacks - CyberSecurity News
- npm Supply Chain Attacks 2026: Defense Guide for SaaS Teams - Bastion
- Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident - Snyk
- Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages - StepSecurity
- ClawHavoc: The Supply Chain Attack That Broke AI Agents - sanj.dev
- npm's Update to Harden Their Supply Chain - The Hacker News