"Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user’s machine."
Now that would be crazy if it turns out AI planted the corrupted NPM...
Naw. OpenAI prolly. After all, they committed to supporting claws.
Stackers beware: If you thought that
npm install <package>is harmless, think again. postinstall was proven fundamentally compromised years ago. Instead, at the very least:docker run node:lts-alpine --name mysecureshitshow install <package>and then you candocker exec -it mysecureshitshowand do your thing.