Supply Chain Attack Secretly Installs OpenClaw for Cline Users
Dark Reading
by Rob WrightFebruary 19, 2026
AI-Generated Deep Dive Summary
A recent supply chain attack exploited a vulnerability in the Cline AI coding tool's npm package to secretly install OpenClaw on users' systems. The malicious version 2.3.0 of Cline was downloaded over 4,000 times before being removed. While OpenClaw itself isn't traditional malware, it poses risks due to its broad system access and ability to establish a persistent WebSocket server.
The attack emerged after security researcher Adnan Khan disclosed a prompt injection vulnerability in Cline's workflow, which allowed attackers with GitHub accounts to publish malicious versions of the tool. Despite Cline quickly patching the issue, an unknown actor exploited this vulnerability by stealing an npm publish token and distributing OpenClaw through the compromised package.
OpenClaw's design makes it particularly dangerous as a potential implant for attackers, despite not being classified as malware. It grants extensive system access and persistence, making it a valuable tool for adversaries to gain unauthorized control over infected systems.
This incident highlights critical security gaps in open-source supply chains. The lack of trusted publishing practices and proper token management left Cline vulnerable. Experts emphasize the importance of enabling trusted publishing workflows and disabling traditional token-based publication to prevent such attacks.
The attack underscores the growing risks associated with widely used AI tools like Cline, which have become targets due to their popularity. Developers must remain vigilant, monitor for suspicious package updates, and prioritize supply chain security to mitigate similar threats in the future.
Verticals
securitytech
Originally published on Dark Reading on 2/19/2026