Unauthorized npm publish of cline@2.3.0 with modified postinstall script
On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g openclaw@latest" This causes openclaw (an unrelated, non-malicious open source package) to be globally installed when cline@2.3.0 is installed. No other files were modified – the …