THE supply chain attack saw a poisoned version of Cline’s npm package, version 2.3.0, downloaded more than 4,000 times before it was removed. For about eight hours, users who installed the package received OpenClaw, a tool that isn’t traditional malware but can install itself and perform actions on the system. It is unclear who was behind the attack or the ultimate motivation beyond forced installations of OpenClaw, though the incident underscores ongoing concerns around the AI framework’s security.
A PoC by security researcher Adnan Khan disclosed a prompt-injection vulnerability that allowed attackers with GitHub accounts to compromise production Cline releases on multiple marketplaces, and exploitation led to the tainted npm package. Henrik Plate of Endor Labs explained that the 2.3.0 release used a post-install hook to silently download OpenClaw, highlighting the need for editors to disable token-based publication and for users to watch for attestations.
Khan stated he was not behind the attack and that another actor used his PoC to attack Cline and obtain publication credentials, after which Cline issued an advisory and released version 2.4.0. StepSecurity’s Sai Likhith Paradarami described OpenClaw as a dangerous payload with broad permissions and full disk access, emphasising its potential to give a threat actor a persistent foothold, while urging users to remove OpenClaw and review environments. According to the advisory, the compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.