On February 17, 2026, Cline maintainers disclosed that a compromised npm publish token was used to publish [email protected], adding a postinstall script that silently installed OpenClaw on developer machines. Approximately 4,000 downloads occurred during an eight-hour window; maintainers released v2.4.0, deprecated 2.3.0, revoked the token and enabled OIDC. Researchers link the breach to a prompt-injection and cache-poisoning chain called Clinejection.
Key Points
- 1Installs OpenClaw on developer machines when Cline CLI v2.3.0 was published on Feb 17, 2026.
- 2Reveals prompt-injection and GitHub Actions cache-poisoning (Clinejection) enabling theft of npm publish tokens.
- 3Urges maintainers to adopt OIDC publishing, revoke tokens, and govern AI agents as privileged actors.
Scoring Rationale
High immediacy and credible sources drive score; limited by low observed malicious behavior and contained download window.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
