On February 17, 2026, a significant supply chain attack occurred targeting the open-source Cline CLI, a coding assistant powered by artificial intelligence. The attack led to the unauthorized installation of OpenClaw, an autonomous AI agent, on developer systems. This incident has raised concerns about the security of software supply chains and AI-driven development tools.
Details of the Unauthorized Installation
According to the maintainers of Cline, the breach was executed using a compromised npm publish token. This token was exploited to release a malicious update on the NPM registry identified as [email protected]. The update included a modified package.json file with a script to automatically install OpenClaw. Although no malicious actions were linked to OpenClaw itself, its installation was neither approved nor planned by the Cline team.
The breach affected users who downloaded Cline CLI version 2.3.0 within an eight-hour window. The attack did not impact other Cline tools such as the Visual Studio Code extension or the JetBrains plugin. In response, Cline released version 2.4.0, deprecated the compromised version, and revoked the affected token. Additionally, they enhanced their npm publishing process to use OpenID Connect via GitHub Actions.
Community Response and Impact
The Microsoft Threat Intelligence team noted an increase in OpenClaw installations on the day of the breach, signaling the impact of the compromised package. StepSecurity reported approximately 4,000 downloads during the short window of vulnerability. Users have been advised to update to the latest version and inspect their systems for unauthorized installations of OpenClaw.
Despite the high number of downloads, experts like Endor Labs researcher Henrik Plate have classified the overall impact as low. OpenClaw is not inherently harmful, and its installation lacks the initiation of the Gateway daemon. However, this breach underscores the necessity for secure publishing practices and vigilant monitoring of package updates.
Exploiting Clinejection for Credential Theft
The breach has been linked to a vulnerability known as Clinejection, which involves exploiting the Cline repository’s issue triage workflow. Security researcher Adnan Khan highlighted how attackers could manipulate the GitHub issue title to execute arbitrary code. This misconfiguration allowed unauthorized access to repository tokens, posing a risk of further supply chain attacks.
The method utilized prompt injection to influence Claude, the AI agent involved in issue triage, granting it excessive permissions. By compromising cache entries, attackers could execute code in workflows and potentially steal publication secrets. This breach illustrates the need for robust governance of AI agents within development pipelines.
Chris Hughes, VP of Security Strategy at Zenity, emphasized the shift from theoretical to operational risks in AI supply chain security. The industry must recognize AI agents as privileged actors that require strict oversight to prevent such vulnerabilities in the future.
