AI & TechFebruary 27, 2026

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

=Detailed, source-backed analysis of the Cline CLI 2.3.0 supply chain attack, OpenClaw malware, impact assessment, IOCs, and actionable remediation steps.

[Opinion/Analysis – Section is marked: The views expressed here reflect the author's professional experience and include informed speculation. Factual claims are cited, opinionated statements are labeled.]

A compromised package registry, an AI-powered Trojan, and another wake-up call in software security—this time, Cline CLI 2.3.0. The incident isn't unprecedented. It's a familiar failure, and one that exposes the fragility of popular development workflows built on third-party dependencies.

Incident Overview and Timeline

Cline CLI (npm package) is a widely used AI code assistant. On February 17, 2026, version 2.3.0 was published. According to npm security advisory, this release contained a malicious payload: a submodule called OpenClaw, an autonomous AI agent previously associated with both legitimate workflow orchestration and red-team exploits (OpenClaw GitHub repo; forensic write-up).

Timeline

Feb 17, 2026, 14:15 UTC: Malicious 2.3.0 release published (npm changelog).
Feb 18, 2026, 05:40 UTC: Initial anomaly reported by user @dev-sec-survey (GitHub Issue).
Feb 18, 2026, 10:03 UTC: Cline AI maintainers confirm compromise (maintainer statement), recommend rollback; npm disables 2.3.0.
Feb 18, 2026, 12:50 UTC: 2.3.1 hotfix released (removes OpenClaw, release notes).
Feb 18, 2026, 15:17 UTC: CERT publishes advisory with mitigation steps.

Scope

Affected versions: v2.3.0 only. Semver range: [2.3.0] (verified in package-lock diff).
npm downloads: ~220,000 during the exposure window (npm downloads dashboard).
Install base: Estimated tens of thousands based on telemetry and GitHub repositories (detector telemetry report). Exact active-compromise numbers are not publicly available.

Technical Analysis and IOCs

Attack Vector

Per the official investigation (npm advisory), the attacker accessed a maintainer's npm token lacking 2FA protection, enabling a poisoned publish to npm.

Similar to prior supply chain incidents (see event-stream 2018 incident), this stands as yet another credential hygiene failure. Maintainers confirmed compromised token vectors (maintainer incident statement).

OpenClaw Behavior

OpenClaw forensic report – CERT:

Autonomous orchestration: Automatically launches, scans local file systems, and attempts network discovery.
Command-and-control: Communicates via encrypted TLS to openclaw-mgmt[.]io (sandbox samples).
Evolvability: Reported to update its behavior via remote task scripts (not self-modifying code, but agent-side orchestration).
Process footprints: Installs as openclaw_agent.js under npm cache, launches with child process from cline-cli.
SHA256 sample hash: ae2d4f7e6... (full hash bank).
Network endpoints: openclaw-mgmt.io, oclw-botnet.info (CERT log).

Indicators of Compromise

File paths:

node_modules/cline-cli/openclaw_agent.js
/tmp/openclaw.sock
npm cache directories containing openclaw_*

Hashes (SHA256):

ae2d4f7e6baed... (complete list)

Processes:

openclaw_agent child process under cline-cli

Network:

Outbound TLS traffic to openclaw-mgmt.io
Suspicious connections to oclw-botnet.info

Detections (verified commands):

Check for affected package:

grep 'cline-cli@2.3.0' ./package-lock.json

Find OpenClaw file:

find ./node_modules/cline-cli -name 'openclaw_agent.js'

Check running processes:
```
ps aux | grep openclaw_agent
```
Check network connections:
```
netstat -an | grep 'openclaw-mgmt.io'
```

“Am I Affected?” Checklist

Did you install, deploy, or CI-pull cline-cli v2.3.0 between Feb 17–18, 2026? [Check version in package-lock.json or npm ls cline-cli]
Does your node_modules/cline-cli directory contain openclaw_agent.js?
Are there outbound connections to openclaw-mgmt.io or oclw-botnet.info?
Are any processes named openclaw_agent running on your system?

If any item is true, follow the remediation steps below.

Immediate Actions (“What to Do Now”)

For Individual Developers:

Remove cline-cli v2.3.0:
```
npm uninstall cline-cli
```
Install safe version (2.3.1+):
```
npm install cline-cli@2.3.1
```

Delete suspicious files:

rm -rf node_modules/cline-cli/openclaw_agent.js

Terminate running agent:
```
pkill openclaw_agent
```
Audit other dependencies for suspicious artifacts (npm audit docs).

For Organizations:

Isolate infected hosts; remove cline-cli 2.3.0 from any production or CI environment.
Rotate npm registry tokens and revoke any compromised credentials (npm security docs).
Enforce MFA organization-wide.
Scan repositories for affected versions (grep cline-cli@2.3.0 package-lock.json).
Review internal CI/CD artifacts for injected OpenClaw modules.
Audit build pipelines for suspicious network connections (OWASP guidance).
Generate SBOMs and validate dependency provenance (SLSA framework).

Harden Your Supply Chain

Minimum Steps:

Require MFA for all registry accounts (npm MFA guide).
Rotate tokens regularly; use scoped, ephemeral credentials (npm token docs).
Adopt reproducible builds with signature verification (Sigstore documentation).
Pin dependencies/lockfiles; review every update (npm lockfile docs).
Minimize dependency sprawl where possible.
Use private registries or allowlisted sources.

Long-Term Steps:

Integrate SLSA Level 3+ (SLSA compliance guide).
Generate SBOMs for all builds (CycloneDX SBOM toolkit).
Enforce dependency review workflows in CI/CD (GitHub dependency review).
Monitor security advisories (npm, GitHub).

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

Vendor and Community Response

Cline CLI team: Public issue (GitHub), recommended immediate rollback and patch upgrade. Token security reinforced; team confirmed lack of MFA on compromised token.
npm: Disabled v2.3.0 and added advisory (npm advisory page).
CERT and SANS: Published analysis (CERT), forensic details, and remediation methodologies.
OpenClaw maintainers: No official statement as of last contact attempt (Feb 19, 2026).

Supply Chain Security Context

Incidents of this type have proliferated (SANS supply chain roundup), driven by weak credential management and default trust models in package ecosystems (OWASP review).
Official recommendations: Adopt SLSA, implement lockfile enforcement, restrict privilege/token scope, require reproducible builds (SLSA whitepaper).
For dependency funding and maintenance statistics: Open Source Security Index reports ~65% of npm packages are under-maintained or lack active maintainers.

Fact vs. Opinion

Fact: Cline CLI v2.3.0 contained a malicious OpenClaw agent, confirmed by forensic analysis and vendor advisory.
Fact: Attack vector traced to compromised npm token, lacking MFA (GitHub maintainer statement).
Opinion: Dependency sprawl and default trust remain unaddressed vulnerabilities, despite recurring industry warnings.
Fact: OpenClaw agent exhibits autonomous orchestration features, verified via sandbox analysis (CERT sandbox results).
Opinion: Overreliance on convenience-first open source practices exposes critical systems, and it's time to prioritize security in development workflows.

How We Verified

The author reviewed public npm advisories, GitHub issue threads, vendor statements, malware sandboxes, and CERT/SANS forensic write-ups between Feb 18–20, 2026. Artifact hashes and IOCs were cross-checked via CERT sample reports. All technical steps and detection commands were peer-reviewed by security researcher Dr. Ellison Chen (LinkedIn), who validated the forensic evidence and remediation guidance.

References

Canonical URL: https://securityjournal.dev/supply-chain/cline-openclaw-analysis Tags: supply chain, npm, software security, incident response, OpenClaw

Published: Feb 20, 2026
Last updated: Feb 20, 2026

[Peer review completed by Dr. Ellison Chen, Malware & Supply Chain Security, CERT.]

← More Articles