Ethical Hacking News
A recent breach of the npm package has compromised the open-source coding assistant Cline CLI, allowing an unknown threat actor to install OpenClaw on unsuspecting developer systems. The attack sequence, known as Clinejection, exploits GitHub Actions' cache poisoning mechanism to pivot from the triage workflow to highly privileged workflows and steal publication secrets. This incident highlights the need for vigilance in software supply chain security and the importance of proactive measures to prevent such attacks.
Cline CLI and OpenClaw were compromised through a breach of the npm package. The attackers exploited GitHub Actions' cache poisoning mechanism to install OpenClaw on developer systems. A vulnerability was discovered in the workflow that gave Claude excessive permissions for arbitrary code execution. Package maintainers should enable trusted publishing and disable publication through traditional tokens. Users should be aware of the presence and sudden absence of corresponding attestations.
In the realm of software development, supply chain security has emerged as a pressing concern. The recent compromise of the open-source coding assistant Cline CLI and the installation of the self-hosted autonomous AI agent OpenClaw on unsuspecting developer systems serve as a stark reminder of the need for vigilance in this area.
According to information released by Endor Labs, users are advised to update to the latest version of Cline CLI, check their environment for any unexpected installations of OpenClaw, and remove it if not required. This warning was issued following a breach of the npm package, which resulted in the unauthorized publication of an updated version of Cline CLI that stealthily installed OpenClaw.
The attack sequence, codenamed Clinejection, exploits GitHub Actions' cache poisoning mechanism to pivot from the triage workflow to highly privileged workflows like the Publish Nightly Release and Publish NPM Nightly workflows. This allows an attacker to obtain code execution in the nightly workflow and steal publication secrets, potentially resulting in a devastating supply chain attack.
The incident has been attributed to an unknown threat actor who weaponized an active npm publish token to authenticate with the Node.js registry and publish Cline version 2.3.0, which contained a modified package.json file with a postinstall script that installed OpenClaw. As a result, OpenClaw was installed on developer systems when Cline version 2.3.0 was installed.
Cline maintainers have since released version 2.4.0 and deprecated the compromised token has been revoked. Additionally, the npm publishing mechanism has been updated to support OpenID Connect (OIDC) via GitHub Actions.
Security researcher Adnan Khan discovered that attackers could steal repository authentication tokens through prompt injection by taking advantage of a misconfiguration in the workflow that gave Claude excessive permissions for arbitrary code execution within the default branch. This vulnerability was built upon PromptPwnd and was introduced in a source code commit made on December 21, 2025.
Chris Hughes, VP of Security Strategy at Zenity, described this incident as an operational reality of AI supply chain security, stating that when a single issue title can influence an automated build pipeline and affect a published release, the risk is no longer theoretical. He emphasized the need for package maintainers to enable trusted publishing and disable publication through traditional tokens, as well as for package users to pay attention to the presence (and sudden absence) of corresponding attestations.
The incident has sparked concerns about AI supply chain security and the risks associated with the use of autonomous AI agents in software development. It highlights the importance of vigilance and proactive measures to prevent such attacks in the future.
In conclusion, the compromise of Cline CLI and the installation of OpenClaw on unsuspecting developer systems underscores the need for increased awareness and vigilance in software supply chain security. By understanding the mechanisms exploited by attackers and taking proactive steps to secure our infrastructure, we can mitigate these risks and protect our software against malicious attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ai-Powered-Supply-Chain-Attack-Cline-CLI-and-OpenClaw-Compromised-ehn.shtml
https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html
https://www.stepsecurity.io/blog/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw
Published: Fri Feb 20 09:27:31 2026 by llama3.2 3B Q4_K_M
