Cline CLI 2.3.0 supply-chain compromise via stolen npm token

TL;DR — A stolen npm token was used to publish a malicious Cline CLI release that installs backdoor code via a postinstall script; check your installed version and rotate credentials if affected.

What happened

Cline CLI is an open-source AI coding assistant that integrates with VS Code to help developers write, refactor, and debug code. F5 Labs reported that the open-source AI coding assistant Cline CLI suffered a supply-chain incident in which [email protected] was published to npm using a compromised npm publish token.

The malicious package included a postinstall script that installed openclaw@latest (an autonomous AI agent) onto developer systems, downloaded ~4,000 times during an ~8-hour window. OpenClaw itself was not deemed malicious, but the installation was unauthorized.

F5 attributes the compromise to a workflow weakness it calls "Clinejection": a misconfigured GitHub workflow where an AI agent with excessive permissions could be manipulated via prompt injection in a GitHub issue title to execute arbitrary code, enabling GitHub Actions cache poisoning and theft of the npm publish token.

This incident highlights the compounding risk when AI agents operate with broad CI/CD permissions — a single prompt injection can cascade into a full supply-chain compromise.

Who is impacted

• Teams and developers who installed [email protected] from npm during the affected window.
• Organizations whose developer workstations or CI runners executed the package install hooks.
• Engineering orgs using GitHub Actions for release/publishing, especially where workflows/agents have broad permissions and shared caches.

What to do now

• Inventory developer endpoints and CI/CD runners for cline and specifically flag version 2.3.0.
• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Check for and remove unauthorized openclaw installations.
• Reduce CI/CD token exposure by migrating publishing pipelines from long-lived registry tokens to OIDC-based (tokenless/short-lived) publishing.
• Harden GitHub Actions: enforce separation between low-trust and high-trust workflows; apply least-privilege to workflow and agent permissions.

Additional Information

F5 reports that Cline maintainers responded by releasing [email protected], deprecating 2.3.0, revoking the compromised token, and implementing OIDC for npm publishing via GitHub Actions.