The open-source, AI-powered coding assistant Cline CLI was modified to covertly install OpenClaw, a self-hosted autonomous AI agent that has gained immense popularity in recent months, in yet another software supply chain attack This article explores cline malicious. . "On February 17, 2026, at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0," the Cline package maintainers reported in an advisory.

"The package.json file in the published package has been altered, and a postinstall script has been added: 'postinstall': "npm install -g openclaw@latest." Consequently, when Cline version 2.3.0 is installed on the developer's computer, OpenClaw is installed.

According to Cline, no malicious activity was noticed, and no extra changes were made to the package. It did point out, though, that OpenClaw's installation was neither approved nor planned. The following describes the attack chain: Claude is prompted to execute arbitrary code in the issue triage workflow.

Remove valid cache entries by adding more than 10GB of unnecessary data to the cache, which will cause GitHub's Cache eviction policy for Least Recently Used (LRU) Set poisoned cache entries that correspond to the cache keys used in the nightly release workflow. Wait for the poisoned cache entry to be activated by the nightly publish, which should happen at around two in the morning UTC. Khan pointed out that "this would allow an attacker to obtain code execution in the nightly workflow and steal the publication secrets."

"A devastating supply chain attack would occur if a threat actor were to obtain the production publish tokens." "Every developer who has the extension installed and configured to update automatically would be affected by a malicious update that was pushed through compromised publication credentials." Stated differently, the attack sequence uses GitHub Actions cache poisoning to switch from the triage workflow to a highly privileged workflow, like the Publish Nightly Release and Publish NPM Nightly workflows, and then steal the credentials for the nightly publication, which have the same access as those for production releases.

This is precisely what transpired, as the unidentified threat actor used an active npm publish token (also known as NPM_RELEASE_TOKEN or NPM_TOKEN) as a weapon to publish Cline version 2.3.0 and authenticate with the Node.js registry.