Cline CLI Supply Chain Attack: Malicious Version 2.3.0 Installs OpenClaw Backdoor
Take action: If you are using Cline, this is urgent: Check your developer environments for Cline version 2.3.0 and manually uninstall the OpenClaw package, as it persists even after Cline is updated. Always verify that your npm dependencies use OIDC-based trusted publishing to prevent unauthorized manual releases from reaching your production or development pipelines.
Learn More
The autonomous coding agent Cline CLI suffered a supply chain attack when version 2.3.0 was published to the npm registry with a malicious payload.
An unauthorized party used a compromised token to bypass the project's standard automated publishing pipeline, which normally uses OIDC-based Trusted Publishing.
The attacker injected a malicious post-install script within the package.json file that silently ran 'npm install -g openclaw@latest' without user consent. OpenClaw is (sort of) legitimate and not overtly malicious but its unauthorized installation creates a persistent backdoor by setting up a system daemon (launchd or systemd) that runs a WebSocket server. O
This manual release lacked the cryptographic provenance attestations found in legitimate versions. The incident was identified by security monitors that flagged the deviation from the verified GitHub Actions publishing identity.
This incident specifically affects the cline npm package version 2.3.0.
This compromise extends beyond simple unauthorized software installation. Because OpenClaw runs with broad system-level permissions, attackers can access environment variables, SSH keys, and API tokens used by developers or CI/CD runners.
In build environments, this could lead to the theft of cloud provider credentials for AWS, GCP, or Azure. The persistence of the OpenClaw gateway means the threat remains active even if the original cline package is removed, as the daemon survives system reboots and continues listening on local ports.
Security researchers noted that the malicious version appeared under the user account 'clinebotorg' instead of the verified 'GitHub Actions' identity used for all prior legitimate releases. Maintainers have deprecated the malicious version and restored the secure OIDC-based publishing workflow for all subsequent releases, starting with version 2.4.0.
Organizations must immediately update to Cline CLI version 2.4.0 or higher to ensure they are running a clean, verified build. Users should also manually check for and remove the OpenClaw package using 'npm uninstall -g openclaw' and verify their system services for any remaining 'openclaw' or 'clawdbot' daemons. It is critical to rotate any API keys, GitHub tokens, or cloud credentials that were present on the machine during the time version 2.3.0 was installed.
