AI coding assistant Cline compromised to create more OpenClaw chaos
(2026/02/20)
- Reference: 1771617910
- News link: https://www.theregister.co.uk/2026/02/20/openclaw_snuck_into_cline_package/
- Source link:
Someone compromised open source AI coding assistant Cline CLI's npm package earlier this week in an odd [1]supply chain attack that secretly installed OpenClaw on developers' machines without their knowledge.
The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry that installs OpenClaw - the [2]AI agent platform slash [3]security nightmare - on users' computers when they install cline@2.3.0.
"Users who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed," Cline's maintainers [4]said in a security advisory. "The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended."
[5]
The maintainers also revoked the compromised token, and added that "npm publishing now uses OIDC provenance via GitHub Actions."
[6]
[7]
Anyone who installed Cline during this time period should update to a fixed version (2.4.0 or higher) and check their environment for a surprise OpenClaw installation.
Earlier this month, security researcher Adnan Khan found and disclosed a prompt injection vulnerability (since fixed) to Cline that could be abused for this exact purpose.
[8]More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster
[9]Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
[10]CEO spills the Tea about massive token farming campaigns
[11]AI agents can't yet pull off fully autonomous cyberattacks – but they are already very helpful to crims
"To make sure it's clear in the midst of the NPM package situation: I did NOT conduct overt testing on Cline's repository," Khan [12]said in an update to his research.
"I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability," he added. "A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials."
[13]
Microsoft did [14]note a "small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script" during the eight-hour supply chain incident on February 17.
StepSecurity, meanwhile, [15]reported that the compromised version was downloaded about 4,000 times before the package maintainers deprecated it.
We don't know who's responsible for slipping OpenClaw into Cline's npm registry - and for what purposes other than creating more chaotic AI agents. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[2] https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
[3] https://www.theregister.com/2026/02/03/openclaw_security_problems/
[4] https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
[9] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[10] https://www.theregister.com/2025/12/17/tea_ceo_fends_off_token_farmers/
[11] https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/
[12] https://adnanthekhan.com/posts/clinejection/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://x.com/MsftSecIntel/status/2024575596941263040
[15] https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw
[16] https://whitepapers.theregister.com/
The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry that installs OpenClaw - the [2]AI agent platform slash [3]security nightmare - on users' computers when they install cline@2.3.0.
"Users who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed," Cline's maintainers [4]said in a security advisory. "The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended."
[5]
The maintainers also revoked the compromised token, and added that "npm publishing now uses OIDC provenance via GitHub Actions."
[6]
[7]
Anyone who installed Cline during this time period should update to a fixed version (2.4.0 or higher) and check their environment for a surprise OpenClaw installation.
Earlier this month, security researcher Adnan Khan found and disclosed a prompt injection vulnerability (since fixed) to Cline that could be abused for this exact purpose.
[8]More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster
[9]Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
[10]CEO spills the Tea about massive token farming campaigns
[11]AI agents can't yet pull off fully autonomous cyberattacks – but they are already very helpful to crims
"To make sure it's clear in the midst of the NPM package situation: I did NOT conduct overt testing on Cline's repository," Khan [12]said in an update to his research.
"I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability," he added. "A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials."
[13]
Microsoft did [14]note a "small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script" during the eight-hour supply chain incident on February 17.
StepSecurity, meanwhile, [15]reported that the compromised version was downloaded about 4,000 times before the package maintainers deprecated it.
We don't know who's responsible for slipping OpenClaw into Cline's npm registry - and for what purposes other than creating more chaotic AI agents. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[2] https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
[3] https://www.theregister.com/2026/02/03/openclaw_security_problems/
[4] https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
[9] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[10] https://www.theregister.com/2025/12/17/tea_ceo_fends_off_token_farmers/
[11] https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/
[12] https://adnanthekhan.com/posts/clinejection/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjzTVGpasd3I8Rghe7wAAAtY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://x.com/MsftSecIntel/status/2024575596941263040
[15] https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw
[16] https://whitepapers.theregister.com/
Microslop
This reminds me of Microsoft not so secretly installing Coidiot on everyone's machines.