The rapid spread of OpenClaw simply was not going fast enough for someone. Cybersecurity vendors this week noticed an odd trend when the npm package for version 2.3.0 of Cline, a widely used open source AI coding tool, began installing an apparent stowaway program. For approximately eight hours, users who downloaded Cline received a poisoned version of the tool that made unauthorized installations on their systems.
A Poisoned Package In The Supply Chain
The attack began quietly and targeted the very infrastructure developers rely on to build software. Cline is a popular tool that helps programmers write code using artificial intelligence. However, earlier this week, the digital supply chain that delivers this tool to users was compromised.
Attackers managed to seize control of the publishing mechanism for Cline. They released version 2.3.0 which appeared to be a standard update. Beneath the surface, this version contained a malicious modification. It was designed to silently install a separate program called OpenClaw alongside the main AI tool.
This type of incident is known as a supply chain attack. Instead of hacking individual users one by one, the attackers poison the source. By compromising a trusted vendor or tool, they can distribute their payload to thousands of unsuspecting victims instantly. In this specific case, the poisoned window lasted for about eight hours.
Data indicates that the compromised package was downloaded approximately 4,000 times during this short period. While this number might seem low compared to consumer software, the targets were software engineers and developers. These users often have elevated access to critical corporate networks and sensitive data. This makes even a small number of compromised machines a significant security risk for the broader technology industry.
How A Researcher’s Discovery Was Weaponized
The story behind this breach involves a complex twist of fate regarding security research. The root cause of the attack was a vulnerability in how Cline handled specific commands. This flaw is technically known as a prompt injection vulnerability.
Security researcher Adnan Khan originally discovered this weakness. He found that between late December 2025 and early February 2026, it was possible for an attacker to manipulate Cline’s workflow. A specific flaw in the issue triage system allowed unauthorized users to execute commands and potentially steal secrets.
Khan did exactly what ethical researchers are supposed to do. He identified the problem and published a proof of concept to demonstrate the risk so it could be fixed. He wrote in a blog post that he conducted his testing on a mirror version of the software to confirm the vulnerability without hurting real users.
Unfortunately, a malicious actor was watching. This unknown attacker found Khan’s research and used his own testing methods against the real software. They utilized the exploit to steal a “publish token.” This digital key is what allows the software creators to push official updates. With the stolen token in hand, the attacker had the keys to the castle and pushed the poisoned version 2.3.0 to the public.
Khan publicly clarified that he was not behind the attack. He noted that his attempts to contact the company were initially difficult, but the vendor eventually patched the vulnerability. The incident serves as a stark reminder of the race between security researchers trying to fix holes and criminals trying to exploit them.
The Silent Danger Of OpenClaw
The software installed by the attackers, OpenClaw, is not a virus in the traditional sense. It does not delete files or display ransom notes. However, security experts warn that it is arguably more dangerous because of its capabilities.
Sai Likhith Paradarami, a software engineer with StepSecurity, analyzed the payload. He described OpenClaw as a dangerous payload due to the permissions it grabs upon installation. When the poisoned version of Cline was installed, it used a post-installation hook to download OpenClaw quietly in the background.
Once active, OpenClaw establishes what is known as a Gateway daemon. This acts as a persistent backdoor into the computer. It runs a WebSocket server that allows for two-way communication between the infected computer and the attacker.
This design makes the unauthorized program an exceptionally high value implant for an attacker. It grants full disk access and broad permissions to execute tasks on the user’s behalf. This means an attacker could potentially steal passwords, access private source code, or tamper with development environments.
Because OpenClaw itself is a legitimate tool when used correctly, it might not immediately trigger antivirus alarms. The danger lies in the unauthorized manner of its installation and the potential for a bad actor to control it remotely. It turns a developer’s machine into a puppet that can be controlled from anywhere in the world.
Fixing The Flaw And Future Safety
The team behind Cline responded to the crisis by releasing version 2.4.0. This clean version removes the compromised package and secures the software once again. The company also revoked the stolen token, ensuring that the attackers could no longer use it to push fake updates.
To prevent this from happening again, Cline has changed how they publish their software. They stated that they have moved to using OIDC provenance via GitHub Actions. In simple terms, this means they are no longer relying on a single static digital key that can be stolen. Instead, they are using a more modern and secure method of verifying their identity before releasing updates.
Henrik Plate, a researcher with Endor Labs, noted that while the impact here is considered low because OpenClaw is not malware, the event emphasizes a critical need. Package maintainers must disable publication through traditional tokens to close these security gaps.
Users who downloaded Cline during the eight-hour attack window face a lingering risk. Simply updating to the new version might not be enough if OpenClaw is already running in the background. Security experts are urging all affected users to review their environments. You should check for any unwanted installations of OpenClaw and remove them immediately to ensure your system is safe.
This incident highlights the fragility of the modern software ecosystem. As we rely more on AI tools to help us write code, we must ensure the tools themselves are secure. A single stolen key can lead to thousands of compromised networks in a matter of hours.
What are your thoughts on the security of open source tools? Do you think companies are doing enough to protect the supply chain? Share this article with your friends and let us know what you think.
