At 3:26 AM PT on February 17th, an unauthorized party used a compromised npm publish token to publish cline@2.3.0 to npm. The published package contained a single modification: an added postinstall script (npm install -g openclaw@latest) that globally installs openclaw, a legitimate open source project. The CLI binary and all other package contents were byte-identical to the previous release. No malicious code was delivered.

By 11:23 AM PT, we had published a corrected version (2.4.0), deprecated 2.3.0, and revoked the compromised token. The exposure window was approximately 8 hours.

[...]

On December 21, 2025, we added a GitHub Actions workflow to automatically triage incoming GitHub issues. The workflow used claude-code-action and was configured with allowed_non_write_users: "*" and access to the Bash tool, meaning any GitHub user could open an issue and Claude would analyze it with the ability to execute shell commands.

This created a prompt injection vulnerability. An attacker could craft an issue title containing instructions that trick Claude into running arbitrary code on the GitHub Actions runner. The workflow itself had limited GitHub permissions (read-only repo access, issues write), but because it ran on the default branch, it shared a cache scope with our nightly release workflow.

GitHub Actions caches are accessible to any workflow in a repository, even if that workflow doesn't explicitly use caching. Although cache entries are immutable, an attacker with code execution in the triage workflow could flood the cache to evict legitimate entries (GitHub evicts immediately after 10 GB). They could then plant poisoned cache entries matching the keys our nightly release workflow expected. When the nightly workflow ran, it would restore the poisoned cache, giving the attacker code execution in a workflow that had access to our publication secrets.

Security researcher Adnan Khan identified this vulnerability and reported it via GitHub Security Advisory on January 1, 2026. The report was not addressed until Adnan publicly disclosed the vulnerability on February 9. Within 30 minutes of the disclosure, we removed the vulnerable workflows and began rotating credentials. The VS Code Marketplace and OpenVSX tokens were rotated successfully. We failed to rotate the NPM token: during the process, the wrong token was deleted while the exposed one remained active. We verified the rotation through npm's org-level token management page, which showed zero active tokens, but the exposed token was not surfaced in that view.

On February 17, a third party used the still-active token to publish cline@2.3.0 with the openclaw postinstall script. The payload was benign, and no attempt was made to modify the CLI binary or introduce malicious code.