How was the Cline npm package compromised?

An unauthorized party used a stolen npm publish token to release a malicious version of the Cline CLI package.

What measures can prevent similar supply chain attacks?

Implementing strict access controls, monitoring for unauthorized changes, and using automated tools to detect anomalies in package releases can help prevent such attacks.

Cline 2026 Supply Chain Attack: Lessons Learned

An in-depth analysis of the Cline npm package compromise and its implications for software supply chain security.

Published: February 20, 2026

Share this on:

Executive Summary

In February 2026, the Cline CLI npm package, a widely used AI coding assistant, was compromised through a supply chain attack. An unauthorized party exploited a stolen npm publish token to release version 2.3.0, which included a postinstall script that silently installed the OpenClaw package globally on users' machines. This malicious version was available for approximately eight hours before being deprecated, during which it was downloaded over 4,000 times. While OpenClaw itself is not malicious, its unauthorized installation raised significant security concerns. This incident underscores the escalating threat of supply chain attacks targeting developer tools and the necessity for robust security measures in software distribution pipelines.

Why This Matters Now

The Cline incident highlights the increasing prevalence of supply chain attacks in the software development ecosystem. As attackers continue to exploit vulnerabilities in package management systems, it is imperative for organizations to implement stringent security protocols to protect against unauthorized code execution and maintain the integrity of their development environments.

Attack Path Analysis

An attacker exploited a prompt injection vulnerability in Cline's GitHub workflow to obtain npm publish tokens, allowing them to release a malicious version of the Cline package. This compromised package, once installed by users, executed a post-installation script that silently downloaded and installed OpenClaw, granting the attacker unauthorized access to the victim's system. With OpenClaw installed, the attacker could escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and potentially cause further impact.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Lowinferred

Initial Compromise

Description

The attacker exploited a prompt injection vulnerability in Cline's GitHub workflow to obtain npm publish tokens, enabling the release of a malicious version of the Cline package.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1195.001

Compromise Software Dependencies and Development Tools

Execution

T1204.005

User Execution: Malicious Library

Credential Access

T1552

Unsecured Credentials

Execution

T1059

Command and Scripting Interpreter

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure the integrity of software and firmware

Control ID: 6.2.3

The incident involved the distribution of a malicious npm package, compromising software integrity and violating the requirement to maintain secure software components.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack exploited vulnerabilities in the software supply chain, indicating deficiencies in the organization's cybersecurity policies related to third-party software management.

DORA – ICT Risk Management Framework

Control ID: Article 6

The breach highlights inadequate risk management practices concerning ICT supply chain security, as required under DORA's ICT risk management framework.

CISA ZTMM 2.0 – Supply Chain Risk Management

Control ID: Supply Chain Security

The incident underscores the need for robust supply chain risk management practices to prevent unauthorized code from entering the development pipeline.

NIS2 Directive – Supply Chain Security

Control ID: Article 21

The attack demonstrates a failure to ensure the security of supply chains, as mandated by NIS2, potentially affecting the continuity of essential services.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Supply chain attacks targeting npm packages directly threaten software development workflows, compromising code integrity and enabling lateral movement through development environments.

Information Technology/IT

OpenClaw malware installation via compromised Cline package poses significant risks to IT infrastructure, requiring enhanced egress security and zero trust segmentation controls.

Financial Services

Supply chain compromises threaten PCI compliance requirements, necessitating strengthened east-west traffic security and threat detection capabilities for protecting sensitive financial data.

Health Care / Life Sciences

Healthcare organizations face HIPAA compliance violations from supply chain attacks, requiring robust multicloud visibility and encrypted traffic controls to protect patient data.

Sources

Supply Chain Attack Secretly Installs OpenClaw for Cline Usershttps://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users
Verified

Unauthorized npm publish of cline@2.3.0 with modified postinstall scripthttps://advisories.gitlab.com/pkg/npm/cline/GHSA-9ppg-jx86-fqw7/

Verified

Supply Chain Attack targeting Cline installs OpenClawhttps://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw

Verified

AI Dev Tool Cline’s npm Token Hijacked by Hackers for 8 Hourshttps://cybersecuritynews.com/ai-dev-tool-cline/

Verified

Frequently Asked Questions

The attack led to the unauthorized installation of OpenClaw on users' machines, raising security concerns despite OpenClaw being non-malicious.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities and move laterally within the network, thereby reducing the overall blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the prompt injection vulnerability and obtain npm publish tokens would likely be constrained, reducing the risk of releasing a malicious package.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges through the malicious package would likely be constrained, reducing the risk of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of accessing other systems and resources.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the risk of remote execution of commands.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The attacker's ability to cause further impact, such as deploying ransomware or disrupting services, would likely be constrained, reducing the risk of significant damage.

Impact at a Glance

Affected Business Functions

Software Development
Continuous Integration/Continuous Deployment (CI/CD) Pipelines

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

No sensitive data exposure reported; unauthorized installation of OpenClaw occurred.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Threat Detection & Anomaly Response to identify and respond to unusual activities indicative of compromise.
• Apply Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
• Ensure Multicloud Visibility & Control to maintain comprehensive oversight of network activities across all environments.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Cline 2026 Supply Chain Attack: Lessons Learned

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Compromise Software Dependencies and Development Tools

User Execution: Malicious Library

Unsecured Credentials

Command and Scripting Interpreter

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Ensure the integrity of software and firmware

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Supply Chain Risk Management

NIS2 Directive – Supply Chain Security

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads