GitHub Advisory — Cline unauthorized npm publish added postinstall
• Category: Security
AI relevance: Cline is an AI coding agent CLI, and an unauthorized npm publish in that toolchain is a direct supply‑chain risk for agent deployments.
- GitHub Security Advisory GHSA-9ppg-jx86-fqw7 reports a compromised npm publish token used to release a modified Cline CLI package.
- The unauthorized release was cline@2.3.0 and added a
postinstallscript that globally installedopenclaw@latest. - Advisory notes that the CLI binary and other package contents were unchanged from the prior legitimate release.
- The malicious publish was deprecated the same day and replaced with 2.4.0 after discovery.
- Maintainers revoked the compromised token and moved npm publishing to OIDC‑based provenance via GitHub Actions.
- This is a reminder that agent tooling shipped via npm inherits standard supply‑chain risks, and postinstall hooks are a high‑impact path.
Why it matters
- Agent CLIs often run with elevated access to local codebases and credentials; supply‑chain tampering can quickly become environment compromise.
- Postinstall scripts expand blast radius by executing during dependency installation, before users can inspect behavior.
- Token compromise remains one of the fastest routes to downstream package trust abuse.
What to do
- Pin and verify releases: use lockfiles, integrity checks, and provenance verification for agent tooling.
- Block postinstall scripts in production environments unless explicitly required.
- Scope publish tokens and rotate regularly; prefer short‑lived OIDC‑based publishing.
- Monitor registry events for unexpected publishes or version jumps in agent tool dependencies.