A new security bypass has users installing AI agent OpenClaw — whether they intended to or not.
Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user’s machine.
This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.
According to research by security platform Socket, the script was live for eight hours on the registry.
It should be emphasized that, in this case, OpenClaw wasn’t inherently malicious. However, it does represent yet another chapter in OpenClaw’s shaky security saga, and situations like this could earn it ‘potentially unwanted application’ (PUA) status.
“I mean, they effectively turned OpenClaw into malware that EDR [endpoint detection and response ] isn’t going to stop,” said David Shipley of Beauceron Security. It is “deviously, terrifyingly brilliant.”
Users love OpenClaw; attackers do, too
OpenClaw (formerly Clawdbot and Moltbot) is a free, open-source, autonomous AI agent that launched on January 29 and almost immediately went viral. According to its developer, Peter Steinberger, its repo had more than 2 million visitors over the course of a single week, and it’s estimated that it has been downloaded 720,000 times a week.
OpenClaw runs locally on a user’s hardware rather than in the cloud, and can perform autonomous, real-world actions on their behalf, such as reading emails, browsing web pages, running apps, or managing calendars.
However, almost immediately after release, it raised serious security issues: It is prone to prompt injection attacks, authentication bypasses, and server-side request forgery (SSRF), among other attacks. Many enterprises have responded by severely restricting, or outright banning, the AI agent.
While, in the Cline situation, it was merely installed, but not inherently malicious, “the attacker had the ability to install anything,” Socket’s Sarah Gooding wrote. “This time it was OpenClaw. Next time it might be something malicious.”
The Cline CLI is widely-used across the developer ecosystem, with about 90,000 weekly downloads from npm. The compromised token pushed cline@2.3.0, which contained a modified package.json with a postinstall script that installed the latest version of OpenClaw, to the npm registry. The addition of that script was the only modification to the package; otherwise the CLI binary and other contents were identical to the legitimate prior release, Gooding noted, making it easy to miss.
The compromised package was pushed on February 17, although the underlying problem had been discovered six weeks prior by security researcher Adnan Khan. The package sat live on the registry for an estimated eight hours before it was deprecated and Cline published a corrected version (2.4.0).
Khan had initially published his research about the vulnerable workflow on February 9, after unsuccessful attempts to get a response to his reports from Cline, and Cline fixed it within 30 minutes. However, while the patch closed the entry point, the token could have been stolen during an attacker’s initial reconnaissance, meaning the fix came too late to prevent the February 17 publish (which, ultimately, was the day it was exploited).
“Cline had no prior install scripts, so a new one appearing was an anomalous signal worth investigating,” Gooding noted, adding that Socket has marked the unauthorized publish as malware.
For devs who installed or updated the Cline CLI in the roughly eight-hour window on February 17, Socket advises:
- Update to the latest version: npm install “-g cline@latest.”
- If on version 2.3.0, update to 2.4.0 or higher.
- Check for and immediately remove OpenClaw if it hadn’t been intentionally installed (“npm uninstall -g openclaw”).
Gooding noted, “nothing ran automatically beyond the install,” but added there was still a risk: “OpenClaw is a capable agentic tool with broad system permissions, not a trivial package to have silently dropped onto a developer’s machine.”
A no-win scenario
EDR, managed detection and response (MDR), and other security providers are going to be forced to declare OpenClaw as either a PUA or “flat out as malware, which, honestly, it can be,” said Shipley, or these kinds of attack win.
“I hate to give it to attackers, but you kind of have to on this one,” he said. “This is why agentic AI is going to get so many people pwned.”
Ultimately, it’s a no-win scenario, Shipley noted, particularly if any organization was “so foolish” as to have allowed OpenClaw into their enterprise environment and built business-reliant work processes on it.
As he put it: “Attackers combined the two biggest dumpster fires in 2026 cybersecurity into a city-scale landfill fire by chaining supply chain hacks via npm and the smoking-hot-vibe-coded AI agent disaster of OpenClaw.”
