While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.

InfoWorld is a source of news, analysis, and commentary on technology trends, IT strategies, and business innovation. With a focus on enterprise technology and digital transformation, InfoWorld offers insights and guidance for IT decision-makers, software developers, and technology professionals. From  articles on cloud computing and cybersecurity to product reviews and industry trends, InfoWorld helps readers navigate the complexities of modern IT environments and make informed decisions to drive business success.

InfoWorld

A compromised npm publish token was used to push a malicious version of the Cline CLI (v2.3.0) containing a postinstall script that silently installed the AI agent OpenClaw on developer machines. The package was live for approximately eight hours on February 17 before being deprecated. Security researcher Adnan Khan had discovered the vulnerable workflow six weeks earlier, but the stolen token allowed the attack to proceed even after a patch was applied. While OpenClaw itself wasn't weaponized in this instance, its broad system access and integrations with messaging platforms make it a dangerous silent install. Developers who updated Cline during that window are advised to upgrade to v2.4.0 or higher and remove OpenClaw if unintentionally installed. Security experts warn this technique highlights the growing risk of agentic AI tools being exploited in supply chain attacks.

Compromised npm package silently installs OpenClaw on developer machines