An open-source coding assistant tool was compromised in a software supply chain attack, leading to the unauthorized installation of a popular AI agent on developer systems. The incident involved the Cline CLI project, an artificial intelligence-powered coding assistant.
On February 17, 2026, at 3:26 AM Pacific Time, an unauthorized party used a compromised npm publish token to release a malicious update. This update stealthily installed a program called OpenClaw onto the systems of developers who updated their Cline CLI tool. OpenClaw is a self-hosted autonomous AI agent that has gained significant popularity in recent months.
Nature of the Attack
This event is classified as a software supply chain attack. In such attacks, adversaries infiltrate the development or distribution pipeline of a legitimate software project to spread malware. By compromising the npm token, which is a digital key for publishing software to the Node.js package registry, the attackers were able to pose as legitimate maintainers.
The malicious version pushed to the registry was Cline CLI 2.3.0. Developers who routinely update their project dependencies using commands like `npm update` would have automatically fetched and executed this tainted code. The primary payload was the covert installation of OpenClaw.
Background on the Tools
Cline CLI is a command-line interface tool that leverages AI to assist developers with coding tasks, such as generating code snippets or explaining complex functions. It is available on the npm registry, a central repository for JavaScript software that is widely used by millions of developers globally.
OpenClaw, the software installed by the attack, is itself a legitimate and increasingly popular project in the developer community. It is an autonomous AI agent designed to be self-hosted, meaning users run it on their own hardware. Its sudden installation via a compromised package, however, turns a legitimate tool into a potential security vector.
Implications and Risks
The immediate risk of this attack is the unauthorized access and potential control of developer workstations. While OpenClaw is not inherently malicious, its unexpected installation means an external actor executed code on a victim’s machine without consent. This access could be used as a foothold for further malicious activity, such as stealing source code, credentials, or deploying additional malware.
Supply chain attacks targeting open-source repositories like npm have become a persistent threat to the global software ecosystem. They exploit the trust developers place in community-maintained packages and automated update mechanisms. A single compromised package can have a cascading effect, impacting countless downstream applications and services.
Response and Mitigation
Following the discovery of the incident, the malicious package version was likely unpublished or flagged by registry maintainers. Security researchers and the npm registry’s own security teams typically move swiftly to contain such breaches. Affected developers are advised to check their systems for the unauthorized installation of OpenClaw and to review their dependency trees for version 2.3.0 of Cline CLI.
Standard security practices in the wake of such an attack include revoking all potentially compromised access tokens, conducting security audits on affected systems, and reverting to a known safe version of the software. Developers are also encouraged to use tools that lock dependency versions or verify package integrity.
Looking Forward
The investigation into the breach is ongoing to determine the full scope of the compromise and identify the responsible party. The maintainers of the Cline CLI project will need to re-secure their publishing infrastructure and communicate a clear remediation path to users. This incident is expected to renew discussions within the open-source community about enhancing the security of package publishing and implementing stronger authentication mechanisms for critical registry operations.
Source: GeekWire
