Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

BAIFH Security

Cline CLI 2.3.0: Yet Another Supply Chain Clusterfuck

So some bright spark decided to shit in the community pool again. This time it’s Cline CLI version 2.3.0, which was about as clean as a gas station bathroom floor. For three glorious hours, the npm package was basically a fucking Trojan horse dressed up as a developer tool, gift-wrapping your credentials to some script kiddie who compromised a maintainer account.

The malware, charmingly named “OpenClaw”—sounds like a shitty metal band, doesn’t it?—immediately started rifling through your system like a burglar on meth. It went straight for the good stuff: environment variables, SSH keys, AWS credentials, GitHub tokens, basically anything that could ruin your entire week in one go. Because why just steal your code when you can steal your entire digital identity?

And how did this dumpster fire start? Oh, the usual: a maintainer’s account got pwned. Probably used “password123” or clicked on a phishing email promising nude photos of Richard Stallman. Next thing you know, malicious code’s been merged, version 2.3.0 hits npm, and thousands of developers are happily running npm install -g cline-cli like lemmings marching off a cliff.

If you’re one of the lucky bastards who installed 2.3.0 during that window, congratulations! You’ve won a complete security audit and credential rotation. Rotate EVERYTHING. SSH keys, API tokens, passwords, your house keys, your car keys, your mother’s maiden name—fucking everything. Assume it’s compromised and start over. It’s the digital equivalent of burning your house down because you saw one cockroach.

This is why we can’t have nice things. Developers just blindly install shit from the internet without checking signatures, verifying checksums, or even looking at what the fuck they’re downloading. “Oh, it’s on npm, it must be safe!” Yeah, and that Nigerian prince really IS going to wire you that money, you gullible twat.

Full details here: https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html

ANECDOTE: Had a developer come to me last week, panicking because his machine was “acting weird” after updat