On February 17, 2026, a malicious version of the Cline package was published to npm, which included a code change in the package.json file that executed a post-install command to install OpenClaw, an AI agent with full system access. This led to approximately 4,000 developer machines being compromised as users installed or updated the Cline package without consent.

Claude Code Security is a new capability in Claude Code that scans codebases for security vulnerabilities and suggests targeted software patches for human review. It aims to assist security teams in addressing the overwhelming number of software vulnerabilities.