A supply chain attack compromised the npm package for the AI coding tool Cline, causing version 2.3.0 to secretly install a program called OpenClaw on users' systems. The attack exploited a previously disclosed vulnerability to steal a publication token and was downloaded over 4,000 times before being removed. While OpenClaw is not traditional malware, it poses significant risk by establishing a persistent background process with broad system permissions. The main topics covered are the supply chain attack mechanism, the nature of the OpenClaw payload, and the security vulnerabilities in the Cline framework that enabled the incident.
Supply Chain Attack Secretly Installs OpenClaw for Cline Users
The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed.
The rapid spread of OpenClaw wasn't going fast enough for someone.
Cybersecurity vendors this week noticed an odd trend when the npm package for version 2.3.0 of Cline, a widely used open source AI coding tool, began installing an apparent stowaway program: OpenClaw. For approximately eight hours, users who downloaded Cline received a poisoned version of the tool that, while not carrying traditional malware, still made unauthorized installations on their systems.
It's unclear who perpetrated this odd supply chain attack, and what the ultimate motivation is beyond forced installations of OpenClaw. But the attack marks the latest red flag for the fast-growing AI framework, which security researchers have expressed concerns about since its explosion onto the technology landscape last month.
A PoC Leads to a Poisoned NPM Package
The supply chain attack stemmed from a vulnerability disclosed earlier this month by security researcher Adnan Khan. Exploitation of the vulnerability, which had no assigned CVE at press time, can lead to an attacker obtaining secrets such as release tokens.
"Between Dec. 21, 2025, and Feb. 9, 2026, a prompt injection vulnerability in Cline’s (now removed) Claude Issue Triage workflow allowed any attacker with a GitHub account to compromise production Cline releases on both the Visual Studio Code Marketplace and OpenVSX and publish malware to millions of developers!" Khan wrote in a blog post.
Khan said his attempts to contact Cline were initially "fruitless," and the company quickly patched the vulnerability shortly after his research was published. Unfortunately, someone took advantage of Khan's research, stole an npm publish token, and tricked the latest version of Cline into also installing OpenClaw.
Henrik Plate, security researcher with Endor Labs, explained in a blog post that version 2.3.0 of the Cline CLI npm package used a post-install hook to silently download OpenClaw to the same system. While the impact is considered low because OpenClaw isn't malicious, he noted that "this event emphasizes the need for package maintainers to not only enable trusted publishing, but also disable publication through traditional tokens — and for package users to pay attention to the presence (and sudden absence) of corresponding attestations."
In an update to his blog post, Khan stressed that he was not behind the supply chain attack and that he didn't conduct testing of his proof-of-concept (PoC) exploit on Cline's repository. "I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability. A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials," he wrote.
Cline published an advisory on GitHub and released version 2.4.0 while removing the previous, tainted npm package. "The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions," the company said.
OpenClaw Not Malicious, But Risky
StepSecurity said the compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch before version 2.3.0 was deprecated. And while the short-lived supply chain attack didn't deploy malware, that doesn't mean it didn't present serious risk.
Sai Likhith Paradarami, software engineer with StepSecurity, explained in a blog post that OpenClaw is a "dangerous payload" because it had broad permissions as well as full disk access on a system in order to execute tasks on the user's behalf. OpenClaw also establishes a persistent Gateway daemon that runs quietly in the background as a WebSocket server.
"This design makes it an exceptionally high-value implant for an attacker," Paradarami, wrote, adding that a silently installed version of OpenClaw could give a threat actor a persistent foothold on a targeted system with the ability to steals secrets and credentials as well as tamper with development environments.
Along with updating their systems to version 2.4.0, Paradarami urged Cline users to review their environments for any unwanted installations of OpenClaw.
Meridiano
