A new security bypass has led to the unintended installation of the AI agent OpenClaw by users.
Researchers have found that a compromised npm publish token was used to push an update for the widely-used Cline command line interface (CLI). This update contained a malicious postinstall script that automatically installs the increasingly controversial OpenClaw application on unsuspecting users' machines.
This poses significant risks, as OpenClaw has extensive system access and integrations with various messaging platforms, including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.
According to research from security platform Socket, the malicious script was active for approximately eight hours on the registry.
It is important to note that OpenClaw itself is not inherently malicious. However, this incident adds to the application's troubling security history, and cases like this could lead to it being classified as a 'potentially unwanted application' (PUA).
“Essentially, they turned OpenClaw into malware that endpoint detection and response solutions won’t stop,” stated David Shipley from Beauceron Security. He described the situation as “deviously, terrifyingly brilliant.”
Users love OpenClaw; attackers do, too
OpenClaw, which was previously known as Clawdbot and Moltbot, is a free, open-source AI agent that launched on January 29 and quickly gained popularity. According to its developer, Peter Steinberger, the repository attracted over 2 million visitors in just one week, with an estimated 720,000 downloads per week.
OpenClaw operates locally on a user’s device, allowing it to perform real-world tasks like reading emails, browsing the internet, running applications, and managing calendars autonomously.
However, shortly after its release, OpenClaw faced serious security vulnerabilities, including susceptibility to prompt injection attacks, authentication bypasses, and server-side request forgery (SSRF). Many organizations have responded by significantly restricting or banning the use of the AI agent.
In the case of the Cline CLI, although OpenClaw was installed without malicious intent, it demonstrated that “the attacker had the ability to install anything,” as noted by Socket’s Sarah Gooding. “This time it was OpenClaw. Next time it might be something harmful.”
The Cline CLI is widely utilized within the developer community, with around 90,000 downloads per week from npm. The compromised token pushed [email protected], which included a modified package.json file with a postinstall script that installed the latest version of OpenClaw. This script was the only change made to the package, and all other components remained identical to the legitimate prior release, making it easy for users to overlook.
The malicious package was uploaded on February 17, although the vulnerability had been discovered six weeks earlier by security researcher Adnan Khan. The compromised package was live for about eight hours before it was deprecated, and Cline released a corrected version (2.4.0).
Khan had initially published his findings regarding the vulnerable workflow on February 9, after failing to get a response from Cline regarding his reports. Cline addressed the issue within 30 minutes, but the patch was too late to prevent the exploit on February 17.
Gooding pointed out that Cline had no previous install scripts, so the appearance of a new one was a red flag worth investigating. Socket has classified the unauthorized publish as malware.
For developers who installed or updated the Cline CLI during the eight-hour window on February 17, Socket recommends the following:
- Update to the latest version: npm install “-g cline@latest.”
- If on version 2.3.0, update to 2.4.0 or higher.
- Check for and uninstall OpenClaw if it was not intentionally installed (“npm uninstall -g openclaw”).
Gooding mentioned that “nothing ran automatically beyond the install,” but stressed the risk remains: “OpenClaw is a capable agentic tool with broad system permissions, making it a serious concern for developers who may have inadvertently installed it.”
A no-win scenario
According to Shipley, endpoint detection and response providers, managed detection and response services, and other security vendors will likely have to label OpenClaw as either a PUA or outright malware, or else these types of attacks will continue to succeed.
“I hate to give credit to attackers, but you have to in this case,” he said. “This is why agentic AI is going to lead to many breaches.”
Ultimately, Shipley described the situation as a no-win scenario, especially for any organization that may have foolishly integrated OpenClaw into their enterprise environment and relied on it for business processes.
As he articulated, “Attackers combined the two biggest security disasters of 2026 into a massive catastrophe by chaining supply chain hacks via npm and the problematic AI agent debacle of OpenClaw.”
