JustAppSec
Back to news

F5 Labs: Cline CLI 2.3.0 npm token compromise used postinstall to install OpenClaw on developer systems

Supply ChainCI/CD SecurityAI Security

What happened

F5 Labs reported that the open-source AI coding assistant Cline CLI suffered a supply-chain incident in which version 2.3.0 was published to npm using a compromised npm publish token.

According to F5, the malicious [email protected] package included a postinstall script that installed openclaw@latest (an autonomous AI agent) onto developer systems, and was downloaded ~4,000 times during an ~8-hour window.

F5 notes that OpenClaw itself was not deemed malicious, but the installation was unauthorized/unintended as part of the supply-chain compromise.

F5 attributes the compromise to a workflow weakness it calls "Clinejection": a misconfigured GitHub workflow where an AI agent (Claude) with excessive permissions could be manipulated via prompt injection in a GitHub issue title to execute arbitrary code, enabling GitHub Actions cache poisoning and theft of publication secrets (including the npm publish token).

Who is impacted

  • Teams and developers who installed [email protected] from npm during the affected window.
  • Organizations whose developer workstations or CI runners may have executed the package install hooks.
  • Engineering orgs using GitHub Actions for release/publishing, especially where workflows/agents have broad permissions and shared caches between low-trust and high-trust jobs.

What to do now

  • Inventory developer endpoints and CI/CD runners for cline and specifically flag version 2.3.0.
  • Upgrade to [email protected] or later as recommended by F5.
  • Check for and remove unauthorized openclaw installations where not explicitly approved.
  • Reduce CI/CD token exposure by migrating publishing pipelines from long-lived registry tokens to OIDC-based (tokenless/short-lived) publishing where supported.
  • Harden GitHub Actions: enforce separation between low-trust and high-trust workflows so that low-trust jobs cannot write to or influence caches consumed by release/publish jobs; apply least-privilege to workflow and agent permissions.

Additional Information

F5 reports that Cline maintainers responded by releasing Cline CLI 2.4.0, deprecating 2.3.0, revoking the compromised token, and implementing OIDC for npm publishing via GitHub Actions.

Source: F5 Labs
Published 25 Feb 2026