Cline CLI Installs OpenClaw Through Compromised Token

On February 17, 2026, Cline maintainers disclosed that a compromised npm publish token was used to publish cline@2.3.0, adding a postinstall script that silently installed OpenClaw on developer machines. Approximately 4,000 downloads occurred during an eight-hour window; maintainers released v2.4.0, deprecated 2.3.0, revoked the token and enabled OIDC. Researchers link the breach to a prompt-injection and cache-poisoning chain called Clinejection.