Unauthorized npm publish of [email protected] with modified postinstall script
- Severity:
- Low
Description
On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.
Recommendation
Update the cline package to the latest compatible version. Followings are version details:
- Affected version(s): = 2.3.0
- Patched version(s): 2.4.0
References
Related Issues
- Unauthorized File Access in atompm - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- DOMPurify is vulnerable to mutation-XSS via Re-Contextualization - Vulnerability
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- cline
Anything's wrong? Let us know Last updated on February 19, 2026