{"id":7201,"date":"2026-02-21T02:52:03","date_gmt":"2026-02-21T02:52:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7201"},"modified":"2026-02-21T02:52:03","modified_gmt":"2026-02-21T02:52:03","slug":"compromised-npm-package-silently-installs-openclaw-on-developer-machines","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7201","title":{"rendered":"Compromised npm package silently installs OpenClaw on developer machines"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A new security bypass has users installing AI agent OpenClaw \u2014 whether they intended to or not.<\/p>\n

Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw<\/a> on the unsuspecting user\u2019s machine.<\/p>\n

This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.<\/p>\n

According to research by security platform Socket, the script was live for eight hours on the registry.<\/p>\n

It should be emphasized that, in this case, OpenClaw wasn\u2019t inherently malicious. However, it does represent yet another chapter in OpenClaw\u2019s shaky security saga, and situations like this could earn it \u2018potentially unwanted application\u2019 (PUA) status.<\/p>\n

\u201cI mean, they effectively turned OpenClaw into malware that EDR [endpoint detection and response ] isn\u2019t going to stop,\u201d said David Shipley<\/a> of Beauceron Security. It is \u201cdeviously, terrifyingly brilliant.\u201d<\/p>\n

Users love OpenClaw; attackers do, too<\/h2>\n

OpenClaw (formerly Clawdbot and Moltbot) is a free, open-source, autonomous AI agent that launched on January 29<\/a> and almost immediately went viral. According to its developer, Peter Steinberger, its repo had more than 2 million visitors over the course of a single week, and it\u2019s estimated that it has been downloaded 720,000 times a week<\/a>.<\/p>\n

OpenClaw runs locally on a user\u2019s hardware rather than in the cloud, and can perform autonomous, real-world actions on their behalf, such as reading emails, browsing web pages, running apps, or managing calendars.<\/p>\n

However, almost immediately after release, it raised serious security issues<\/a>: It is prone to prompt injection attacks, authentication bypasses, and server-side request forgery (SSRF), among other attacks<\/a>. Many enterprises have responded by severely restricting, or outright banning, the AI agent.<\/p>\n

While, in the Cline situation, it was merely installed, but not inherently malicious, \u201cthe attacker had the ability to install anything,\u201d Socket\u2019s Sarah Gooding<\/a> wrote. \u201cThis time it was OpenClaw. Next time it might be something malicious.\u201d<\/p>\n

The Cline CLI is widely-used across the developer ecosystem, with about 90,000 weekly downloads from npm. The compromised token pushed cline@2.3.0, which contained a modified package.json with a postinstall script that installed the latest version of OpenClaw, to the npm registry. The addition of that script was the only modification to the package; otherwise the CLI binary and other contents were identical to the legitimate prior release, Gooding noted, making it easy to miss.<\/p>\n

The compromised package was pushed on February 17, although the underlying problem had been discovered six weeks prior<\/a> by security researcher Adnan Khan. The package sat live on the registry for an estimated eight hours before it was deprecated and Cline published a corrected version (2.4.0).<\/p>\n

Khan had initially published his research about the vulnerable workflow on February 9, after unsuccessful attempts to get a response to his reports from Cline, and Cline fixed it within 30 minutes. However, while the patch closed the entry point, the token could have been stolen during an attacker\u2019s initial reconnaissance, meaning the fix came too late to prevent the February 17 publish (which, ultimately, was the day it was exploited).<\/p>\n

\u201cCline had no prior install scripts, so a new one appearing was an anomalous signal worth investigating,\u201d Gooding noted, adding that Socket has marked the unauthorized publish as malware.<\/p>\n

For devs who installed or updated the Cline CLI in the roughly eight-hour window on February 17, Socket advises:<\/p>\n

Update to the latest version: npm install \u201c-g cline@latest.\u201d<\/p>\n

If on version 2.3.0, update to 2.4.0 or higher.<\/p>\n

Check for and immediately remove OpenClaw if it hadn\u2019t been intentionally installed (\u201cnpm uninstall -g openclaw\u201d).<\/p>\n

Gooding noted, \u201cnothing ran automatically beyond the install,\u201d but added there was still a risk: \u201cOpenClaw is a capable agentic tool with broad system permissions, not a trivial package to have silently dropped onto a developer\u2019s machine.\u201d<\/p>\n

A no-win scenario<\/h2>\n

EDR, managed detection and response (MDR), and other security providers are going to be forced to declare OpenClaw as either a PUA or \u201cflat out as malware, which, honestly, it can be,\u201d said Shipley, or these kinds of attack win.<\/p>\n

\u201cI hate to give it to attackers, but you kind of have to on this one,\u201d he said. \u201cThis is why agentic AI is going to get so many people pwned.\u201d<\/p>\n

Ultimately, it\u2019s a no-win scenario, Shipley noted, particularly if any organization was \u201cso foolish\u201d as to have allowed OpenClaw into their enterprise environment and built business-reliant work processes on it.<\/p>\n

As he put it: \u201cAttackers combined the two biggest dumpster fires in 2026 cybersecurity into a city-scale landfill fire by chaining supply chain hacks via npm and the smoking-hot-vibe-coded AI agent disaster of OpenClaw.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A new security bypass has users installing AI agent OpenClaw \u2014 whether they intended to or not. Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on […]<\/p>\n","protected":false},"author":0,"featured_media":7202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7201","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7201"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7201"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7201\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7202"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}