What happened
A supply chain attack involving the open-source Cline CLI npm package (version 2.3.0) led to the unauthorized installation of the autonomous AI agent OpenClaw on developers’ systems. An attacker used a compromised npm publish token to push a modified version of Cline CLI that included a post-install script silently installing OpenClaw during the package installation. Cline maintainers have since deprecated the tainted release and published an updated version.
Who is affected
Developers and organizations that downloaded and installed Cline CLI version 2.3.0 from the npm registry during the roughly eight-hour window on February 17, 2026, an estimated ~4,000 downloads, may have had OpenClaw installed on their systems without their knowledge. The incident did not affect Cline’s Visual Studio Code extension or JetBrains plugin.
Why CISOs should care
Even though OpenClaw itself is not inherently malicious, its unauthorized deployment via a trusted package underscores significant risk in software supply chains. Autonomous agents like OpenClaw run with broad permissions, can persist as background daemons, and expand the attack surface for credential theft, unnoticed remote actions, or further exploitation, amplifying potential operational, data, and security impacts across development environments.
3 practical actions
- Audit and remediate: Identify and update any installations of Cline CLI to version 2.4.0 or higher; remove unauthorized instances of OpenClaw and verify there are no lingering services or agents running.
- Strengthen supply chain controls: Implement stricter verification of open-source dependencies, enforce code signing or provenance checks, and adopt least-privilege principles for automated tools and agents.
- Monitor and detect: Deploy behavioral monitoring and endpoint detection on developer workstations and CI/CD pipelines to catch unusual agent activity or unexpected installations.Â