Someone compromised open source AI coding assistant Cline CLI’s npm package earlier this week in an odd supply chain attack that secretly installed OpenClaw on developers’ machines without their knowledge.
The incident occurred on Tuesday, when an “unauthorized party” used a compromised token to publish an update to Cline CLI on its npm registry that installs OpenClaw – the AI agent platform slash security nightmare – on users’ computers when they install cline@2.3.0.
“Users who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed,” Cline’s maintainers said in a security advisory. “The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended.”
The maintainers also revoked the compromised token, and added that “npm publishing now uses OIDC provenance via GitHub Actions.”
Anyone who installed Cline during this time period should update to a fixed version (2.4.0 or higher) and check their environment for a surprise OpenClaw installation.
Earlier this month, security researcher Adnan Khan found and disclosed a prompt injection vulnerability (since fixed) to Cline that could be abused for this exact purpose.
“To make sure it’s clear in the midst of the NPM package situation: I did NOT conduct overt testing on Cline’s repository,” Khan said in an update to his research.
“I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability,” he added. “A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials.”
Microsoft did note a “small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script” during the eight-hour supply chain incident on February 17.
StepSecurity, meanwhile, reported that the compromised version was downloaded about 4,000 times before the package maintainers deprecated it.
We don’t know who’s responsible for slipping OpenClaw into Cline’s npm registry – and for what purposes other than creating more chaotic AI agents. ®