Cline CLI Supply Chain Attack Silently Installed OpenClaw on 4,000 Developer Machines

On February 17, 2026, somebody used a stolen npm publish token to ship cline@2.3.0 with one addition: a postinstall script that ran npm install -g openclaw@latest. Around 4,000 developers downloaded it before the Cline team pulled the package eight hours later.

OpenClaw itself isn't malware. But having it show up uninvited on your system? That's a problem.

What Actually Happened

Security researcher Adnan Khan had previously discovered what he called the "Clinejection" vulnerability. A prompt injection flaw in Cline's Claude Issue Triage GitHub Actions workflow allowed attackers to extract the NPM_RELEASE_TOKEN from CI. Khan reported the vulnerability responsibly, and Cline rotated their tokens on February 9.

Here's the problem. They deleted the wrong token. The exposed NPM_RELEASE_TOKEN stayed active.

Eight days later, a different unknown actor used that lingering token to publish the compromised package. The attack window ran from 3:26 AM to 11:30 AM Pacific Time. Cline revoked the correct token at 11:30 AM, published a clean v2.4.0, and posted their incident report.

Why the Severity Rating Is "Low"

The GitHub advisory GHSA-9ppg-jx86-fqw7 rates this as Low severity. OpenClaw is legitimate open-source software. The Gateway daemon (which would need broad system permissions) was never started by the postinstall script. So in practice, OpenClaw just sat there. Installed but dormant.

That said, an unauthorized global package install is still a supply chain breach. Treat it seriously even if nothing actively ran.

What You Should Do

If you installed or updated Cline between 3:26 AM and 11:30 AM PT on February 17:

1. Update Cline: run cline update or npm install -g cline@latest to get v2.4.0
2. Remove OpenClaw: run npm uninstall -g openclaw
3. Verify: run npm list -g openclaw to confirm it's gone

If you're running OpenClaw intentionally through ClawHosters, this doesn't affect your managed instance. Your deployment is isolated and wasn't touched by the npm incident. For extra peace of mind, run the OpenClaw Safety Scanner against your configuration.

Bigger Picture

Supply chain attacks on developer tools keep happening. This one was relatively benign because OpenClaw is real software, not a credential stealer. But the mechanism, a leftover npm token after an incomplete rotation, is exactly the kind of mistake that leads to worse outcomes next time. If you're evaluating how to run OpenClaw without worrying about npm supply chains, managed hosting sidesteps the problem entirely.

If you self-host OpenClaw and want to understand its permission model better, our security hardening guide walks through every surface area.