GHSA-9PPG-JX86-FQW7

Vulnerability from github – Published: 2026-02-19 15:17 – Updated: 2026-02-19 15:17
VLAI?
Summary
Unauthorized npm publish of cline@2.3.0 with modified postinstall script
Details

Description

On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g openclaw@latest" This causes openclaw (an unrelated, non-malicious open source package) to be globally installed when cline@2.3.0 is installed. No other files were modified -- the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate cline@2.2.3 release. A corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.

Impact

Users who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed. The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended.

The Cline VS Code extension and JetBrains plugin were not affected. This advisory applies only to the Cline CLI package published on npm.

Patches

Versions 2.4.0 and higher are fixed

Workarounds

If you installed Cline CLI cline@2.3.0: 1. Update to the latest version of the Cline CLI cline update or npm installl -g cline@latest 2. Verify that you have a fixed version (2.4.0 or higher) cline --version 3. Review your environment for any unexpected installation of OpenClaw and remove it if not intended npm uninstall -g openclaw

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "cline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T15:17:10Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\nOn February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0. The published package contains a modified package.json with an added postinstall script:\n`\"postinstall\": \"npm install -g openclaw@latest\"`\nThis causes openclaw (an unrelated, non-malicious open source package) to be globally installed when cline@2.3.0 is installed. No other files were modified -- the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate cline@2.2.3 release.\nA corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.\n\n### Impact\nUsers who installed Cline CLI cline@2.3.0 during the approximately 8-hour window between 3:26 AM PT and 11:30 AM PT on February 17 will have openclaw globally installed. The openclaw package is a legitimate open source project and is not malicious, but its installation was not authorized or intended.\n\nThe Cline VS Code extension and JetBrains plugin were not affected. This advisory applies only to the Cline CLI package published on npm.\n\n### Patches\nVersions 2.4.0 and higher are fixed\n\n### Workarounds\nIf you installed Cline CLI cline@2.3.0:\n1. Update to the latest version of the Cline CLI\n`cline update` or `npm installl -g cline@latest`\n2. Verify that you have a fixed version (2.4.0 or higher)\n`cline --version`\n3. Review your environment for any unexpected installation of OpenClaw and remove it if not intended\n`npm uninstall -g openclaw`",
  "id": "GHSA-9ppg-jx86-fqw7",
  "modified": "2026-02-19T15:17:10Z",
  "published": "2026-02-19T15:17:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cline/cline"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Unauthorized npm publish of cline@2.3.0 with modified postinstall script"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.