{"id":490055,"date":"2026-02-21T14:08:18","date_gmt":"2026-02-21T14:08:18","guid":{"rendered":"https:\/\/www.newsbeep.com\/ca\/490055\/"},"modified":"2026-02-21T14:08:18","modified_gmt":"2026-02-21T14:08:18","slug":"ai-coding-assistant-cline-compromised-installs-openclaw-the-register","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/ca\/490055\/","title":{"rendered":"AI coding assistant Cline compromised, installs OpenClaw \u2022 The Register"},"content":{"rendered":"<p>Someone compromised open source AI coding assistant Cline CLI&#8217;s npm package earlier this week in an odd <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/02\/12\/supply_chain_attacks\/\" rel=\"nofollow noopener\">supply chain attack<\/a> that secretly installed OpenClaw on developers&#8217; machines without their knowledge.\u00a0<\/p>\n<p>The incident occurred on Tuesday, when an &#8220;unauthorized party&#8221; used a compromised token to publish an update to Cline CLI on its npm registry that installs OpenClaw &#8211; the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/02\/09\/openclaw_instances_exposed_vibe_code\/\" rel=\"nofollow noopener\">AI agent platform<\/a> slash <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/02\/03\/openclaw_security_problems\/\" rel=\"nofollow noopener\">security nightmare<\/a> &#8211; on users&#8217; computers when they install cline@2.3.0.<\/p>\n<p>&#8220;Users who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed,&#8221; Cline&#8217;s maintainers <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/cline\/cline\/security\/advisories\/GHSA-9ppg-jx86-fqw7\">said<\/a> in a security advisory. &#8220;The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended.&#8221;<\/p>\n<p>The maintainers also revoked the compromised token, and added that &#8220;npm publishing now uses OIDC provenance via GitHub Actions.&#8221;<\/p>\n<p>Anyone who installed Cline during this time period should update to a fixed version (2.4.0 or higher) and check their environment for a surprise OpenClaw installation.<\/p>\n<p>Earlier this month, security researcher Adnan Khan found and disclosed a prompt injection vulnerability (since fixed) to Cline that could be abused for this exact purpose.<\/p>\n<p>&#8220;To make sure it&#8217;s clear in the midst of the NPM package situation: I did NOT conduct overt testing on Cline&#8217;s repository,&#8221; Khan <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/adnanthekhan.com\/posts\/clinejection\/\">said<\/a> in an update to his research.\u00a0<\/p>\n<p>&#8220;I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability,&#8221; he added. &#8220;A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials.&#8221;<\/p>\n<p>Microsoft did <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/MsftSecIntel\/status\/2024575596941263040\">note<\/a> a &#8220;small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script&#8221; during the eight-hour supply chain incident on February 17.<\/p>\n<p>StepSecurity, meanwhile, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.endorlabs.com\/learn\/supply-chain-attack-targeting-cline-installs-openclaw\">reported<\/a> that the compromised version was downloaded about 4,000 times before the package maintainers deprecated it.<\/p>\n<p>We don&#8217;t know who&#8217;s responsible for slipping OpenClaw into Cline&#8217;s npm registry &#8211; and for what purposes other than creating more chaotic AI agents. \u00a0\u00ae<\/p>\n","protected":false},"excerpt":{"rendered":"Someone compromised open source AI coding assistant Cline CLI&#8217;s npm package earlier this week in an odd supply&hellip;\n","protected":false},"author":2,"featured_media":490056,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[62,276,277,49,48,61],"class_list":{"0":"post-490055","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-ca","12":"tag-canada","13":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts\/490055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/comments?post=490055"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts\/490055\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/media\/490056"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/media?parent=490055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/categories?post=490055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/tags?post=490055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}