Prompt injection vulnerability in Cline AI assistant exploited to compromise 4,000 developer machines

Feb 2026

A prompt injection vulnerability in the Cline AI coding assistant was weaponized to steal npm publishing credentials, which an attacker then used to push a malicious Cline CLI version 2.3.0 that silently installed the OpenClaw AI agent platform on developer machines. The compromised package was live for approximately eight hours on February 17, 2026, accumulating roughly 4,000 downloads before maintainers deprecated it. A security researcher had disclosed the prompt injection flaw as a proof-of-concept; a separate attacker discovered it and turned it into a real supply chain attack.

Incident Details

Perpetrator:AI coding assistant

Severity:Facepalm

Blast Radius:Approximately 4,000 developers who installed Cline CLI during the 8-hour window received unauthorized OpenClaw installations; root cause was an AI-specific prompt injection flaw in the coding assistant itself

Tech Stack

ClinenpmOpenClaw

References

The Register: AI coding assistant Cline compromised to create more OpenClaw chaos ↗Socket: Cline CLI npm Package Compromised via Suspected Cache Poisoning Attack ↗