Someone turned OpenClaw into a payload — and the delivery vehicle was a tool most developers already trust.

Security researchers at Socket discovered that a compromised npm publish token pushed [email protected] to the registry, carrying a modified package.json with a postinstall script. That script did one thing: install the latest version of OpenClaw on the developer's machine. No prompt, no consent, no warning.

The Cline CLI — a widely-used command line tool with approximately 90,000 weekly downloads — served as the perfect Trojan horse. The malicious version was live on the npm registry for eight hours before being pulled.

Not Malicious, But Not Harmless

Here's the uncomfortable nuance: OpenClaw itself wasn't weaponized. The installed binary was the standard, unmodified open-source agent. But OpenClaw has broad system access by design — it can browse the web, run shell commands, read and write files, and integrate with messaging platforms including Slack, Telegram, WhatsApp, and Discord.

"They effectively turned OpenClaw into malware that EDR isn't going to stop," said David Shipley of Beauceron Security. "Deviously, terrifyingly brilliant."

The attack didn't need OpenClaw to be malicious. It just needed it to be powerful — and already controversial enough that its presence on a machine raises questions.

The Bigger Picture

This incident lands in the middle of an accelerating security narrative around OpenClaw. The agent — which launched on January 29 and has been downloaded an estimated 720,000 times per week — has already been flagged for prompt injection vulnerabilities, authentication bypasses, and SSRF flaws. Multiple enterprises have restricted or banned it outright.

The npm compromise adds a new dimension: supply chain attacks that deploy AI agents as the payload. Socket researcher Sarah Gooding put it plainly: "This time it was OpenClaw. Next time it might be something malicious."

The incident also raises an interesting classification question. If a legitimate but overpowered tool gets silently installed without consent, does it qualify as a PUA — a potentially unwanted application? Some security vendors are already considering exactly that.

For developers who ran npm install on Cline during those eight hours: check your system for an OpenClaw installation you didn't ask for. And maybe audit your postinstall scripts while you're at it.