How did the attackers compromise Cline CLI?

Attackers used a stolen npm publish token to release a malicious version (2.3.0) of Cline CLI, which included a postinstall script that installed OpenClaw without user consent.

What measures has Cline taken to prevent future attacks?

Cline revoked the compromised token, published a corrected version (2.4.0), and enhanced their release pipeline security by migrating npm publishing to OIDC provenance via GitHub Actions.

Cline CLI Supply Chain Attack: Lessons in Software Security

A recent supply chain attack on Cline CLI resulted in unauthorized installations of OpenClaw, highlighting critical vulnerabilities in software development pipelines.

Published: February 20, 2026

Share this on:

Executive Summary

In February 2026, the Cline CLI, a widely used AI coding assistant, was compromised through a supply chain attack. An unauthorized party exploited a stolen npm publish token to release version 2.3.0 of Cline CLI, which included a modified package.json file. This modification added a postinstall script that silently installed OpenClaw, an unrelated open-source package, on developers' systems upon installation. The malicious version was available for approximately eight hours before being deprecated, during which it was downloaded around 4,000 times. The Cline team responded by revoking the compromised token, publishing a corrected version (2.4.0), and enhancing their release pipeline security. This incident underscores the escalating threat of supply chain attacks targeting developer tools. The unauthorized installation of OpenClaw, while not inherently malicious, highlights the potential for more harmful payloads in future attacks. Organizations are urged to audit their development environments and enforce stringent security measures to mitigate such risks.

Why This Matters Now

The Cline CLI supply chain attack highlights the urgent need for enhanced security in software development pipelines. As attackers increasingly target developer tools, organizations must implement robust measures to protect against unauthorized access and ensure the integrity of their software supply chains.

Attack Path Analysis

An attacker exploited a prompt injection vulnerability in Cline's AI-powered issue triage workflow to gain unauthorized access. This access allowed the attacker to obtain npm publish tokens, enabling the publication of a malicious Cline CLI version. Upon installation, this version executed a postinstall script that globally installed OpenClaw on developer systems. The unauthorized installation of OpenClaw provided the attacker with potential command and control capabilities. While no data exfiltration was reported, the presence of OpenClaw posed a risk of unauthorized data access. The incident led to the deprecation of the compromised Cline version and the revocation of the compromised tokens.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

Medium

Exfiltration

Lowinferred

Impact

High

Initial Compromise

Description

An attacker exploited a prompt injection vulnerability in Cline's AI-powered issue triage workflow to gain unauthorized access.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1195.001

Compromise Software Dependencies and Development Tools

Credential Access

T1552

Unsecured Credentials

Execution

T1059

Command and Scripting Interpreter

Exfiltration

T1041

Exfiltration Over C2 Channel

Defense Evasion

T1078

Valid Accounts

Persistence

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure the integrity of software and firmware

Control ID: 6.2.3

The unauthorized modification of Cline CLI to include malicious code indicates a failure to maintain software integrity, violating PCI DSS requirements for secure software development.

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

Control ID: 500.15

The exfiltration of sensitive data due to the supply chain attack suggests inadequate encryption measures, contravening NYDFS mandates for protecting nonpublic information.

DORA – ICT Risk Management Framework

Control ID: Article 6

The incident reveals deficiencies in the organization's ICT risk management framework, as required by DORA, by failing to prevent the compromise of software supply chains.

CISA ZTMM 2.0 – Data Security

Control ID: Pillar 3: Data

The breach indicates lapses in data security controls, undermining the zero trust principles outlined in CISA's Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The supply chain attack highlights insufficient cybersecurity risk management measures, as mandated by the NIS2 Directive for essential and important entities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Supply chain attacks targeting development tools like Cline CLI directly compromise software engineering workflows, requiring enhanced egress security and zero trust segmentation.

Information Technology/IT

IT sectors face critical risk from compromised AI coding assistants installing autonomous agents, necessitating multicloud visibility and threat detection capabilities.

Financial Services

Financial institutions using AI development tools risk unauthorized autonomous agent deployment, requiring strict compliance with encryption standards and anomaly detection systems.

Health Care / Life Sciences

Healthcare development environments compromised by supply chain attacks threaten HIPAA compliance, demanding enhanced kubernetes security and east-west traffic monitoring.

Sources

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systemshttps://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html
Verified

AI Dev Tool Cline’s npm Token Hijacked by Hackers for 8 Hourshttps://cybersecuritynews.com/ai-dev-tool-cline/

Verified

AI coding assistant Cline compromised, installs OpenClawhttps://www.theregister.com/2026/02/20/openclaw_snuck_into_cline_package/

Verified

Frequently Asked Questions

The attack led to the unauthorized installation of OpenClaw on developers' systems, affecting approximately 4,000 downloads during an eight-hour window.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's unauthorized access would likely have been constrained, reducing their ability to exploit vulnerabilities within the AI-powered workflow.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely have been limited, reducing the risk of obtaining sensitive tokens.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement across developer systems would likely have been constrained, limiting the spread of malicious software.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels would likely have been detected and disrupted, reducing their ability to manage compromised systems.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's potential data exfiltration efforts would likely have been restricted, minimizing the risk of unauthorized data transfer.

Impact (Mitigations)

The overall impact of the incident would likely have been reduced, limiting operational disruptions and the need for extensive remediation efforts.

Impact at a Glance

Affected Business Functions

Software Development
DevOps

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

No sensitive data exposure reported.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities promptly.
• Utilize Multicloud Visibility & Control to monitor and manage security across diverse cloud environments.
• Apply Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
• Regularly audit and rotate access tokens to minimize the risk of credential compromise.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Cline CLI Supply Chain Attack: Lessons in Software Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Compromise Software Dependencies and Development Tools

Unsecured Credentials

Command and Scripting Interpreter

Exfiltration Over C2 Channel

Valid Accounts

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Potential Compliance Exposure

PCI DSS 4.0 – Ensure the integrity of software and firmware

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads