AI Agent Cline v2.3.0 Compromised: From Prompt Injection to Unauthorized npm Publish
Table of Contents
TL;DR
On February 17, 2026, a compromised npm token was used to publish an unauthorized version of the popular AI coding tool, cline@2.3.0. The version contained a modified package.json with a postinstall script that silently installed another package globally.
What Happened?
According to the GitHub Security Advisory GHSA-9ppg-jx86-fqw7, an unauthorized party gained access to an npm publish token and released cline@2.3.0. The malicious version was live for roughly 8 hours (3:26 AM to 11:30 AM PT on February 17) before being deprecated.
Security researcher Adnan Khan’s investigation identified a prompt injection vulnerability in Cline’s AI-powered issue triage workflow. The workflow used claude-code-action with broad tool permissions (Bash, Write, Edit) and allowed any GitHub user to trigger it by opening an issue. A crafted issue title could inject a prompt that tricks Claude into running npm install from an attacker-controlled fork. Because the triage workflow shared GitHub Actions cache scope with Cline’s nightly publish workflow, this could be chained with cache poisoning to exfiltrate publication secrets (NPM_RELEASE_TOKEN, VS Code Marketplace, and OpenVSX credentials). The exact method of token theft has not been publicly confirmed. Notably, these tokens were scoped to publisher identity rather than individual extensions, meaning nightly credentials could publish production releases.
What Does the Payload Do?
The postinstall script was: "postinstall": "npm install -g openclaw@latest"
OpenClaw is a legitimate, non-malicious open-source project. The payload did not steal credentials, install backdoors, or exfiltrate data. This looks like a proof of concept: someone demonstrating the attack’s feasibility rather than deploying an operational payload. The same postinstall hook could have delivered a credential stealer or reverse shell to every developer who ran npm install -g cline@2.3.0. The mechanism was proven, even if the payload was benign.
The Diff
The only change between the legitimate 2.2.3 (which 2.3.0 was based on) and the compromised version was in the package.json.
Index: package/package.json===================================================================--- package/package.json+++ package/package.json@@ -1,7 +1,7 @@ { "name": "cline",- "version": "2.2.3",+ "version": "2.3.0", "description": "Autonomous coding agent CLI - capable of creating/editing files, running commands, using the browser, and more", "main": "dist/cli.mjs", "bin": { "cline": "./dist/cli.mjs"@@ -31,9 +31,10 @@ "typecheck": "npx tsc --noEmit", "link": "npm run build && npm link", "unlink": "npm unlink -g cline", "test": "vitest",- "test:run": "vitest run"+ "test:run": "vitest run",+ "postinstall": "npm install -g openclaw@latest" }, "keywords": [ "cline", "claude",All other files, including the CLI binary dist/cli.mjs, were identical to the previous version.
How PMG Flagged It
SafeDep Package Manager Guard (PMG) flagged cline@2.3.0 as suspicious during installation:
SafeDep’s LLM-based file evaluation identified the postinstall script as executing an arbitrary command, installing a global package without user consent or explicit declaration in dependencies:
Users of pmg would have been blocked or alerted during the attempted installation, preventing the payload from executing.
For teams looking to catch malicious dependencies earlier in the development lifecycle, the SafeDep GitHub App can flag pull requests that introduce known malicious packages before they reach installation.
Post-Incident Response
Cline revoked the compromised token, removed the vulnerable AI triage workflow (PR #9211), and moved npm publishing to OIDC provenance via GitHub Actions. This eliminates long-lived static tokens as an attack surface for future publishes.
Next Steps for Users
If you installed cline@2.3.0 between 3:26 AM PT and 11:30 AM PT on February 17:
- Update:
npm install -g cline@latest(version2.4.0or higher) - Cleanup: Remove
openclawif you didn’t intend to install it:npm uninstall -g openclaw
References
- npm
- oss
- malware
- cline
- supply-chain
- prompt-injection
Author
Kunal Singh
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
astro.config.mjs Supply Chain Attack via Blockchain C2
An obfuscated IIFE hidden in astro.config.mjs fires at every build, beacons an HTTP C2, and pulls staged commands from a Tron-to-BSC blockchain dead drop.
Inside the Miasma Software Supply Chain Attack Toolkit
The Miasma worm source code appeared on GitHub through compromised developer accounts. The codebase is a full supply chain attack toolkit with credential exfiltration across AWS, Azure, GCP, and...
Miasma Worm: Most Infected GitHub Repos Are Still Live
Eight days after the Miasma worm forged a credential stealer into public GitHub repositories, most are still serving it. A re-scan of the published victim list plus a fresh code-search sweep found...
Config Files That Run Code: Supply Chain Security Blindspot
Editor and package-manager config files auto-execute commands when a developer opens a folder or installs dependencies. The Miasma worm wired one dropper into seven of them across Claude Code,...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.
