While the AI itself wasn’t designed for harm, the underlying method sparks worry regarding AI agents with extensive system permissions.
A recently discovered security flaw has led to users inadvertently installing the AI agent OpenClaw.
Researchers uncovered that a compromised npm publishing token facilitated an update to the widely-adopted Cline command-line interface (CLI). This update included a malicious post-installation script designed to automatically deploy the highly popular, yet increasingly controversial, agentic application OpenClaw onto unsuspecting users’ systems.
This incident poses significant risks, considering OpenClaw’s extensive system access and deep integrations with communication platforms such as WhatsApp, Telegram, Slack, Discord, iMessage, and Teams, among others.
According to findings by the security platform Socket, the malicious script remained active on the registry for approximately eight hours.
It’s important to note that, in this specific instance, OpenClaw itself was not inherently malicious. However, this event adds another concerning chapter to OpenClaw’s history of security vulnerabilities, and similar scenarios could lead to it being classified as a ‘potentially unwanted application’ (PUA).
“They essentially transformed OpenClaw into a form of malware that standard EDR [endpoint detection and response] systems won’t detect,” commented David Shipley from Beauceron Security. He described the tactic as “insidiously and terrifyingly ingenious.”
OpenClaw’s Popularity with Users — and Attackers
OpenClaw (previously known as Clawdbot and Moltbot) is a complimentary, open-source, autonomous AI agent that debuted on January 29, quickly achieving viral status. Its developer, Peter Steinberger, reported over 2 million repository visits in just one week, with estimated weekly downloads reaching 720,000 instances.
Operating locally on user hardware instead of cloud environments, OpenClaw can autonomously execute real-world tasks such as checking emails, navigating web pages, running applications, and managing schedules on behalf of its user.
Despite its utility, its release was almost immediately accompanied by significant security concerns. It proved vulnerable to prompt injection attacks, authentication bypasses, and server-side request forgery (SSRF), among other forms of exploitation. Many organizations have reacted by severely limiting or completely prohibiting the use of this AI agent.
While OpenClaw was merely installed, and not inherently malicious, in the Cline incident, “the attacker possessed the capability to install anything they wished,” stated Sarah Gooding of Socket. “This time it was OpenClaw. Next time, it could be something truly harmful.”
The Cline CLI is extensively utilized across the developer landscape, accumulating roughly 90,000 weekly downloads from npm. The compromised token allowed the publication of cline@2.3.0, which included a modified package.json containing a postinstall script that deployed the latest OpenClaw version to the npm registry. This script’s insertion was the only alteration to the package; otherwise, the CLI binary and its other contents mirrored the legitimate previous release, as Gooding observed, making the change hard to spot.
The compromised package was uploaded on February 17, though the underlying vulnerability had been identified six weeks prior by security researcher Adnan Khan. The package remained active on the registry for an estimated eight hours before it was marked as deprecated and Cline released a corrected version (2.4.0).
Khan initially published his findings on the vulnerable workflow on February 9, after his attempts to elicit a response from Cline went unheeded; Cline then applied a fix within 30 minutes. However, while this patch closed the immediate entry point, the token could have been compromised during an attacker’s earlier reconnaissance, rendering the fix too late to prevent the February 17 publication (which was ultimately when the exploit occurred).
“Cline had no pre-existing install scripts, so the emergence of a new one constituted an unusual signal warranting investigation,” Gooding stated, adding that Socket has since categorized the unauthorized publication as malware.
For developers who installed or updated the Cline CLI during the approximate eight-hour window on February 17, Socket recommends the following:
- Upgrade to the most recent version: npm install “-g cline@latest.”
- If currently on version 2.3.0, update to 2.4.0 or a later release.
- Verify the presence of OpenClaw and remove it immediately if its installation was unintended (“npm uninstall -g openclaw”).
Gooding observed that “nothing executed automatically beyond the initial installation,” but stressed that a risk persisted: “OpenClaw is a highly capable agentic tool endowed with extensive system permissions, making it far from a trivial package to be silently deposited onto a developer’s machine.”
An Unavoidable Predicament
Shipley asserted that EDR (endpoint detection and response), MDR (managed detection and response), and other security providers will inevitably be compelled to label OpenClaw as either a PUA or “outright malware, which, frankly, it has the potential to be,” or else these types of attacks will continue to succeed.
“I dislike admitting this to attackers, but in this instance, one almost has to,” he conceded. “This is precisely why agentic AI will lead to the compromise of so many individuals.”
Ultimately, Shipley noted, it creates a no-win situation, especially if any organization was “foolish enough” to permit OpenClaw within their enterprise environment and base critical business operations on it.
As he eloquently put it: “Attackers transformed the two most significant cybersecurity debacles of 2026 into a widespread catastrophe by combining supply chain vulnerabilities via npm with the disastrous, ‘vibe-coded’ AI agent known as OpenClaw.”
This article was originally featured on CSOonline.
