Supply Chain Attack Secretly Installs OpenClaw for Cline Users

The Cline supply‑chain breach underscores how quickly a single vulnerable workflow can cascade into a widescale compromise. Researchers discovered that a prompt‑injection flaw in the Claude Issue Triage pipeline allowed any GitHub‑authenticated attacker to hijack release tokens, effectively turning the open‑source publishing process into a backdoor. By publishing a malicious post‑install script, the attacker leveraged npm’s trust model to deliver OpenClaw to unsuspecting developers, illustrating the inherent risks of token‑based authentication in modern CI/CD pipelines.

OpenClaw itself, though not classified as traditional malware, possesses capabilities that make it a high‑value implant. It obtains full‑disk permissions, establishes a persistent gateway daemon, and communicates via a hidden WebSocket server, enabling threat actors to exfiltrate credentials, modify codebases, and maintain long‑term footholds. This level of access is especially concerning for AI development environments, where proprietary models and data are often stored locally. The episode serves as a reminder that even seemingly benign tools can become vectors for espionage when supply‑chain integrity is compromised.

In response, Cline moved to an OIDC‑based provenance system through GitHub Actions, revoking the compromised token and enforcing signed releases. The swift rollout of version 2.4.0 and the public advisory demonstrate a growing industry emphasis on zero‑trust publishing and automated attestation. For enterprises, the lesson is clear: enforce strict token hygiene, monitor package signatures, and incorporate continuous SBOM checks to detect anomalous dependencies before they reach production.