Cline CLI 2.3.0 was published with a stolen npm token, installing OpenClaw in an 8-hour attack affecting ~4,000 downloads.

Someone compromised open source AI coding assistant Cline CLI's npm package earlier this week in an odd supply chain attack ...

While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.

The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed.

The npm registry now includes Socket security analysis links directly on package pages to help developers assess supply chain risks.

Local AI agents and a gaming handheld - what could possibly go wrong?

North Korea-linked Lazarus campaign spreads malicious npm and PyPI packages via fake crypto job offers, deploying RATs and data-stealing malware.

Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, ...

Open-source software has become the backbone of modern development, but with that dependency comes a widening attack surface. The npm ecosystem in particular has been a high-value target for ...

The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. Approximately 640 NPM packages have been infected with a ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...