MAL-2026-1380

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cline/MAL-2026-1380.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-1380
Aliases
Published
2026-03-12T22:33:41Z
Modified
2026-03-23T05:41:09.114153Z
Summary
Malicious code in cline (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (38d7531f4d4af07fee607e1d2985d0ea5b41dbf28cca5bc16c8457934e372f86)

The package cline was found to contain malicious code.

Source: google-open-source-security (ba9952611b2aa348b1b5cc0349d7b905e32d34effa53081994388c37d0d3462a)

An unauthorized party used a compromised npm publish token to publish v2.3.0 of the Cline CLI on the NPM. The compromise added a postinstall script that globally installed openclaw.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "ba9952611b2aa348b1b5cc0349d7b905e32d34effa53081994388c37d0d3462a",
            "modified_time": "2026-03-12T22:33:41Z",
            "versions": [
                "2.3.0"
            ],
            "import_time": "2026-03-12T22:34:51.899506Z",
            "source": "google-open-source-security"
        },
        {
            "sha256": "38d7531f4d4af07fee607e1d2985d0ea5b41dbf28cca5bc16c8457934e372f86",
            "modified_time": "2026-03-23T05:11:41Z",
            "versions": [
                "2.3.0"
            ],
            "import_time": "2026-03-23T05:13:58.413853945Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / cline

Package

Name
cline
View open source insights on deps.dev
Purl
pkg:npm/cline

Affected ranges

Affected versions

2.*
2.3.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cline/MAL-2026-1380.json"