Overview
- An unauthorized party used a compromised npm publish token to release cline@2.3.0 with a postinstall that globally installed OpenClaw.
- Maintainers deprecated 2.3.0, revoked the token, shipped 2.4.0, and enabled OIDC-based publishing via GitHub Actions.
- The tainted version was available for about eight hours on February 17, with roughly 4,000 downloads and a Microsoft-noted uptick in OpenClaw installs.
- Researcher Adnan Khan detailed the 'Clinejection' path combining prompt injection against an AI triage workflow with GitHub Actions cache poisoning to reach publish secrets, while clarifying another actor weaponized his public PoC.
- Cline reported no other malicious changes, said OpenClaw’s installation was unauthorized, and advised users to update, audit for unexpected OpenClaw, and note that IDE extensions were not affected.