Full Report
In yet another software supply chain attack, the open-source, artificial intelligence (AI)-powered coding assistant Cline CLI was updated to stealthily install OpenClaw, a self-hosted autonomous AI agent that has become exceedingly popular in the past few months. "On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI
Analysis Summary
# Incident Report: Cline CLI Supply Chain Compromise
## Executive Summary
On February 17, 2026, the popular AI coding assistant Cline CLI fell victim to a software supply chain attack. An unauthorized party utilized a compromised npm publish token to release a malicious version (2.3.0) that stealthily installed the OpenClaw AI agent on developer workstations. While the payload itself was not inherently malicious, the breach highlights critical vulnerabilities in automated AI-triage workflows and package release processes.
## Incident Details
- **Discovery Date:** February 17, 2026
- **Incident Date:** February 17, 2026
- **Affected Organization:** Cline (Open-source project)
- **Sector:** Information Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** February 17, 2026, at 3:26 AM PT
- **Vector:** Compromised npm publish token.
- **Details:** Attackers gained access to an npm publishing secret, likely through a "Clinejection" (prompt injection) attack against the project's GitHub Action workflow which used an AI agent to triage issues.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; the attackers moved from a compromised GitHub Action environment to the npm registry to publish unauthorized code.
### Data Exfiltration/Impact
- **Impact:** Forced installation of `openclaw` on approximately 4,000 developer machines via a `postinstall` script in the `package.json` of `[email protected]`.
### Detection & Response
- **Discovery:** Detected within hours by maintainers and third-party security researchers (StepSecurity/Microsoft).
- **Response Actions:** The compromised version was deprecated at 11:30 AM PT. Version 2.4.0 was released to remediate the issue, and publishing secrets were rotated.
## Attack Methodology
- **Initial Access:** Prompt Injection ("Clinejection") targeting the GitHub automated triage assistant.
- **Persistence:** Not established in the package itself, but the `postinstall` script ensured OpenClaw was installed globally (`-g`).
- **Privilege Escalation:** Exploiting excessive permissions in GitHub Actions to execute arbitrary code and leak repository secrets.
- **Defense Evasion:** Modifying only the `package.json` rather than the core logic to avoid immediate detection of functional changes.
- **Credential Access:** Theft of the npm publish token from the CI/CD environment.
- **Impact:** Supply chain compromise and unauthorized software deployment.
## Impact Assessment
- **Financial:** Low direct cost; primarily labor costs for remediation.
- **Data Breach:** None reported, though the potential for secret exfiltration during the initial injection was high.
- **Operational:** Approximately 4,000 developers worldwide installed the unauthorized version; disruption caused by the need for manual removal of OpenClaw.
- **Reputational:** Moderate; raises concerns regarding the safety of AI-integrated development tools.
## Indicators of Compromise
- **File indicators:** `[email protected]` (npm package)
- **Behavioral indicators:** Unexpected execution of `npm install -g openclaw@latest` following a Cline update.
- **GitHub Advisory:** `GHSA-9ppg-jx86-fqw7`
## Response Actions
- **Containment:** Revoked the compromised npm publish token.
- **Eradication:** Deprecated `[email protected]` on the npm registry.
- **Recovery:** Released `[email protected]` and migrated the publishing mechanism to use OpenID Connect (OIDC) via GitHub Actions for "Trusted Publishing."
## Lessons Learned
- **AI Agent Risk:** Granting AI agents write access or secret access to repositories for "automated triage" creates a massive attack surface for prompt injection.
- **Token Security:** Traditional long-lived npm tokens are high-value targets; short-lived, identity-based tokens are superior.
- **Script Monitoring:** `postinstall` scripts remain a primary vector for npm-based supply chain attacks.
## Recommendations
- **Transition to OIDC:** All package maintainers should move to Trusted Publishing (OIDC) to eliminate the need for permanent secrets in CI/CD.
- **Restrict AI Permissions:** AI agents used for repository management should operate in a "read-only" capacity or within a sandboxed environment without access to production secrets.
- **Audit Dependencies:** Developers should use tools like `npm audit` or Socket to monitor for deprecated or suspicious package versions.