TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY CYBER RISK CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS Supply Chain Attack Secretly Installs OpenClaw for Cline Users The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed. Rob Wright,Senior News Director, Dark Reading February 19, 2026 3 Min Read SOURCE: ROKAS TENYS VIA ALAMY STOCK PHOTO The rapid spread of OpenClaw wasn't going fast enough for someone. Cybersecurity vendors this week noticed an odd trend when the npm package for version 2.3.0 of Cline, a widely used open source AI coding tool, began installing an apparent stowaway program: OpenClaw. For approximately eight hours, users who downloaded Cline received a poisoned version of the tool that, while not carrying traditional malware, still made unauthorized installations on their systems. It's unclear who perpetrated this odd supply chain attack, and what the ultimate motivation is beyond forced installations of OpenClaw. But the attack marks the latest red flag for the fast-growing AI framework, which security researchers have expressed concerns about since its explosion onto the technology landscape last month. A PoC Leads to a Poisoned NPM Package LOADING... The supply chain attack stemmed from a vulnerability disclosed earlier this month by security researcher Adnan Khan. Exploitation of the vulnerability, which had no assigned CVE at press time, can lead to an attacker obtaining secrets such as release tokens. Related:Dell's Hard-Coded Flaw: A Nation-State Goldmine "Between Dec. 21, 2025, and Feb. 9, 2026, a prompt injection vulnerability in Cline’s (now removed) Claude Issue Triage workflow allowed any attacker with a GitHub account to compromise production Cline releases on both the Visual Studio Code Marketplace and OpenVSX and publish malware to millions of developers!" Khan wrote in a blog post. Khan said his attempts to contact Cline were initially "fruitless," and the company quickly patched the vulnerability shortly after his research was published. Unfortunately, someone took advantage of Khan's research, stole an npm publish token, and tricked the latest version of Cline into also installing OpenClaw. Henrik Plate, security researcher with Endor Labs, explained in a blog post that version 2.3.0 of the Cline CLI npm package used a post-install hook to silently download OpenClaw to the same system. While the impact is considered low because OpenClaw isn't malicious, he noted that "this event emphasizes the need for package maintainers to not only enable trusted publishing, but also disable publication through traditional tokens — and for package users to pay attention to the presence (and sudden absence) of corresponding attestations." In an update to his blog post, Khan stressed that he was not behind the supply chain attack and that he didn't conduct testing of his proof-of-concept (PoC) exploit on Cline's repository. "I conducted my PoC on a mirror of Cline to confirm the prompt injection vulnerability. A different actor found my PoC on my test repository and used it to directly attack Cline and obtain the publication credentials," he wrote. Related:RMM Abuse Explodes as Hackers Ditch Malware Cline published an advisory on GitHub and released version 2.4.0 while removing the previous, tainted npm package. "The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions," the company said. OpenClaw Not Malicious, But Risky StepSecurity said the compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch before version 2.3.0 was deprecated. And while the short-lived supply chain attack didn't deploy malware, that doesn't mean it didn't present serious risk. Sai Likhith Paradarami, software engineer with StepSecurity, explained in a blog post that OpenClaw is a "dangerous payload" because it had broad permissions as well as full disk access on a system in order to execute tasks on the user's behalf. OpenClaw also establishes a persistent Gateway daemon that runs quietly in the background as a WebSocket server. "This design makes it an exceptionally high-value implant for an attacker," Paradarami, wrote, adding that a silently installed version of OpenClaw could give a threat actor a persistent foothold on a targeted system with the ability to steals secrets and credentials as well as tamper with development environments. Related:Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks Along with updating their systems to version 2.4.0, Paradarami urged Cline users to review their environments for any unwanted installations of OpenClaw. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 APPLICATION SECURITY OWASP Highlights Supply Chain Risks in New Top 10 List by Jai Vijayan, Contributing Writer NOV 10, 2025 APPLICATION SECURITY Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool by Nate Nelson, Contributing Writer NOV 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers 5 Steps to Stop Ransomware With Zero Trust The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 10 Ways a Zero Trust Architecture Protects Against Ransomware Lock the Front Door: The Easiest Way to Reduce Your Attack Surface Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use