"Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user’s machine."
Now that would be crazy if it turns out AI planted the corrupted NPM...
It's always javascript and npm. You should all switch to java.
" Install Once, Run Nowhere"
Naw. OpenAI prolly. After all, they committed to supporting claws.
Stackers beware: If you thought that
npm install <package>is harmless, think again. postinstall was proven fundamentally compromised years ago. Instead, at the very least:docker run node:lts-alpine --name mysecureshitshow install <package>and then you candocker exec -it mysecureshitshowand do your thing.You can also specify which packages can do anything post install