Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cline hit by cyberattack

Incident
First reported
Last updated
Happening score
H score 31
2 unique sources, 2 articles

Summary

Hide ▲

A Cline CLI supply-chain incident on February 17, 2026 used a compromised npm publish token to publish [email protected] with a postinstall step that silently installed OpenClaw on developer machines. The poisoned package was live for about eight hours, was downloaded roughly 4,000 times, and did not affect the VS Code extension or JetBrains plugin. Cline responded by releasing 2.4.0, deprecating 2.3.0, revoking the token, and moving npm publishing to OIDC via GitHub Actions.

Related Happenings

OpenClaw message-object prompt injection patched in 2026.4.23 security flaw

Vulnerability
H score15 First: 11.06.2026 20:46 Last: 11.06.2026 20:46 Sources 1

About this happening: **OpenClaw** has a patched **message-object prompt injection flaw** that let hidden instructions inside **shared contacts, vCards, and location pins** reach the LLM as trusted pro...

Cline Kanban server WebSocket origin/authentication security flaw

Vulnerability
H score33 First: 07.05.2026 17:30 Last: 07.05.2026 17:30 Sources 1

About this happening: **Cline Kanban server** has a **critical WebSocket origin/authentication flaw** that can let a webpage a developer visits **exfiltrate workspace data**, **inject terminal commands...

GitHub git push RCE (CVE-2026-3854)

Vulnerability
H score27 First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: GitHub patched **CVE-2026-3854**, a critical **remote code execution** flaw affecting **GitHub.com** and **GitHub Enterprise Server** that could expose **millions of private repos...

Open VSX pre-publish scanning fail-open now patched security flaw

Vulnerability
H score5 First: 27.03.2026 15:57 Last: 27.03.2026 15:57 Sources 1

About this happening: A **now-patched fail-open bug** in **Open VSX's pre-publish scanning pipeline** could let **malicious VS Code extensions** bypass vetting and go live in the registry, weakening a...

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
H score28 First: 23.03.2026 10:31 Last: 23.03.2026 10:31 Sources 1

About this happening: Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...

Timeline

  1. 20.02.2026 00:33 3 articles · 4mo ago

    Cline 2.3.0 npm package silently installs OpenClaw

    Initial Disclosure

    Users who downloaded Cline version 2.3.0 received a poisoned npm package that used a post-install hook to silently install OpenClaw on their systems, affecting about 4,000 downloads over roughly eight hours before deprecation; Cline revoked the compromised token, removed the tainted package, and released version 2.4.0 with OIDC provenance via GitHub Actions.

    Show sources