Full Report
4K unintended installs in very odd supply chain attack Someone compromised open source AI coding assistant Cline CLI's npm package earlier this week in an odd supply chain attack that secretly installed OpenClaw on developers' machines without their knowledge. …
Analysis Summary
# Incident Report: Cline CLI Supply Chain Compromise
## Executive Summary
An unauthorized party compromised the npm publishing credentials (token) for the open-source AI coding assistant, Cline CLI. The attacker published a malicious update (version 2.3.0) that forced the global installation of "OpenClaw," an AI agent framework, on approximately 4,000 developer machines. While the secondary package was not inherently malicious, the incident represents a significant unauthorized supply chain breach facilitated by a leaked token discovered through a researcher's test repository.
## Incident Details
- **Discovery Date:** February 17, 2026
- **Incident Date:** February 17, 2026
- **Affected Organization:** Cline (Open Source Project)
- **Sector:** Software Development / Artificial Intelligence
- **Geography:** Global (Users of npm)
## Timeline of Events
### Initial Access
- **Date/Time:** February 17, 2026, approx. 3:26 AM PT.
- **Vector:** Compromised npm publication token.
- **Details:** An unidentified actor found a Proof of Concept (PoC) on a security researcher's public test mirror of Cline. This PoC contained or enabled access to publication credentials which were then used to push unauthorized code to the official npm registry.
### Lateral Movement
- **Details:** The attack moved from the researcher's public test repository to the official `cline` npm package registry.
### Data Exfiltration/Impact
- **Details:** Approximately 4,000 developers downloaded the compromised `[email protected]` package. The impact was the forced global installation of the `openclaw` package on these local environments.
### Detection & Response
- **Detection:** Microsoft Security Intelligence noted an uptick in OpenClaw installations; package maintainers identified the unauthorized version.
- **Response Actions:** The maintainers deprecated the compromised version (2.3.0), revoked the leaked token, and released version 2.4.0.
## Attack Methodology
- **Initial Access:** Credential theft via a researcher's test repository mirror.
- **Persistence:** Not applicable for this specific event (short-lived update).
- **Privilege Escalation:** Use of official maintainer tokens to bypass registry security.
- **Defense Evasion:** Using a legitimate, non-malicious tool (OpenClaw) as the payload to satisfy basic automated scans while achieving unauthorized execution.
- **Credential Access:** Token harvesting from a public GitHub repository mirror.
- **Discovery:** Attacker conducted reconnaissance on security researchers' repositories.
- **Impact:** Supply chain compromise; unauthorized software installation on 4,000+ systems.
## Impact Assessment
- **Financial:** No direct financial loss reported; significant labor costs for remediation by 4,000 developers.
- **Data Breach:** No data exfiltration reported.
- **Operational:** Disruption to developer environments and project workflows.
- **Reputational:** High. Erosion of trust in the Cline CLI package and the security of AI-related open-source tooling.
## Indicators of Compromise
- **File Indicators:**
- `[email protected]` (Malicious npm package version)
- Unauthorized `openclaw` global installation on developer machines.
- **Behavioral Indicators:**
- Unexpected `npm install -g openclaw` triggered during Cline updates.
## Response Actions
- **Containment:** Deprecated the compromised `[email protected]` version on npm.
- **Eradication:** Revoked the compromised npm publishing token.
- **Recovery:** Released version 2.4.0 to overwrite the malicious version; advised users to manually uninstall OpenClaw.
- **Hardening:** Migrated package publishing to use OIDC (OpenID Connect) provenance via GitHub Actions to eliminate long-lived secret tokens.
## Lessons Learned
- **Key Takeaways:** Even if a secondary payload is "legitimate" (OpenClaw), an unauthorized installation is a grave security breach. Mirroring repositories for testing can inadvertently expose sensitive secrets if not properly scrubbed.
- **Shortcomings:** Use of long-lived static npm tokens allowed the attacker to hijack the publishing pipeline without needing access to the maintainers' primary accounts.
## Recommendations
- **Adopt OIDC:** Transition all package publishing from static tokens to short-lived, identity-based credentials (e.g., GitHub Actions OIDC).
- **Secret Scanning:** Implement robust secret scanning on all repositories, including forks and mirrors used for security research/PoCs.
- **Integrity Checks:** Developers should implement `npm-audit` and monitor for unexpected global package installations.
- **Environment Isolation:** Use containers or virtual environments for AI coding assistants to limit the blast radius of supply chain attacks.