Unauthorized npm publish of [email protected] with modified postinstall script

Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g...