Unauthorized npm publish of [email protected] with modified postinstall script
- Severity:
- Low
Description
On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.
Recommendation
Update the cline package to the latest compatible version. Followings are version details:
- Affected version(s): = 2.3.0
- Patched version(s): 2.4.0
References
Related Issues
- Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability - CVE-2026-44211
- Unauthorized File Access in atompm - Vulnerability
- electerm: electerm_install_script_CommandInjection Vulnerability Report - CVE-2026-41500
- Layui cross-site scripting (XSS) vulnerability - CVE-2023-50550
You might also like:
- Tags:
- npm
- cline
Anything's wrong? Let us know Last updated on February 19, 2026