Security

Your AI Agent Just Installed Malware

Last week, an AI coding agent installed a typosquatted package in a production codebase. Nobody noticed for three days. The package had a postinstall script that exfiltrated environment variables — API keys, database credentials, session tokens — to an attacker-controlled server. The developer who prompted the agent never reviewed the dependency list. Why would they? The code worked.

Published April 4, 2026

AI agents optimize for "does it work?" — not "is it safe?"

AI coding agents are changing how software gets built. Cursor, Copilot, Cline, Devin, and dozens of others now write code, resolve dependencies, run installs, and ship changes with minimal human oversight. They are fast, tireless, and increasingly autonomous.

They are also completely indifferent to supply chain security.

When an AI agent runs npm install some-package, it is executing arbitrary code on your machine. Install scripts run during resolution. Malicious packages exfiltrate data, install backdoors, and establish persistence. The agent does not check the package's publish history, author reputation, or security advisories. It checks whether the tests pass.

Every npm install an AI agent executes is unreviewed arbitrary code execution. And agents execute a lot of them.

The data is alarming

In April 2026, a16z published research quantifying what security teams had suspected: AI coding agents are significantly worse than humans at selecting safe dependencies. The findings are stark.

50% more vulnerable dependencies

AI agents select dependency versions with known vulnerabilities 50% more often than human developers. They optimize for compatibility and recency, not security posture. When an agent picks a package version, it is choosing the one most likely to make the code work — even if that version has a critical CVE.

Slopsquatting is real

LLMs hallucinate package names. They confidently recommend packages that do not exist — yet. Attackers monitor LLM outputs, identify commonly hallucinated names, and register them on npm with malicious payloads. This is called slopsquatting. One slopsquatted package accumulated over 30,000 downloads before detection. Research shows commercial LLMs hallucinate package names in 5.2% of code generation responses.

Zero review window

Autonomous agents ship code without human review. When a human developer adds a dependency, there is at least a chance someone notices it in a PR review. When an agent adds one in the middle of a multi-step task, there is no natural review point. The dependency is installed, the tests pass, the PR is opened, and the code ships.

"We are building a world where machines write the code, machines choose the dependencies, and machines ship the updates. The security review step that used to happen — imperfectly, but reliably enough — between dependency selection and production deployment is being compressed to zero."

What actually catches these attacks

The answer is not better AI. The answer is enforcement at the install path — before the package reaches your machine, before the install script runs, before the agent moves on to the next task. nproxy evaluates every package request against security rules at the registry layer. Here is what those rules catch.

malware
block

Every package is checked against Socket.dev's malware intelligence feed. Known malicious packages — including slopsquatted names with exfiltration payloads — are blocked before they reach your machine. When the axios@1.14.1 attack shipped a RAT payload via a compromised maintainer account, malware detection caught the signature.

first_seen
block

Newly published packages are quarantined for a configurable window (default: 7 days). This is the single most effective defense against slopsquatting. When an attacker registers a hallucinated package name, it is brand new — zero history, zero downloads, zero community vetting. The first_seen rule blocks it automatically. It also caught the flatmap-stream payload in the event-stream attack — a package created specifically for that compromise.

publisher_change
warn

Warns when a package version is published by a different maintainer than previous versions. Account takeovers are the most common vector for compromising popular packages. When a trusted package suddenly has a new publisher, that is a signal worth investigating — especially when the change happens on a package your AI agent chose without consulting you.

install_scripts
warn

Detects packages with lifecycle scripts (preinstall, install, postinstall). Install scripts are the primary delivery mechanism for npm malware — they execute arbitrary code during npm install, before any scanner has a chance to flag the package. Legitimate packages rarely need them. Malicious packages almost always use them.

vulnerability
warn

Checks every package version against OSV (Open Source Vulnerabilities) data. When an AI agent selects a dependency version with a known CVE — which they do 50% more often than humans — the vulnerability rule surfaces it at install time, not days later in a CI scan that nobody reads.

What this looks like in practice

An AI agent tries to install a hallucinated package name that an attacker registered on npm:

Terminal

$ npm install react-query-utils

resolving packages via acme.nproxy.app...

BLOCKED react-query-utils@1.0.0 — malware: exfiltration payload detected (socket.dev)

BLOCKED react-query-utils@1.0.0 — first_seen: published 14 hours ago (threshold: 7 days)

WARN react-query-utils@1.0.0 — install_scripts: postinstall script detected

resolution failed — blocked dependency in tree

$

The agent's install fails. It cannot proceed with the malicious package. The developer never needs to intervene.

One command. Every install protected.

The fix is not a new workflow. It is not a linter plugin, a CI step, or a browser extension. It is a registry proxy that sits between your package manager and upstream registries. One command configures it:

Setup
npx @nproxy/cli setup

That command writes your .npmrc to point at your nproxy registry endpoint. From that point forward, every npm install, pnpm install, or yarn flows through nproxy. Every AI agent running in that project is protected.

What happens after setup
  • .npmrc is configured — points your package manager at your nproxy endpoint
  • Every install is evaluated — packages are checked against security rules before they reach your machine
  • Risky packages are blocked — malware, brand-new packages, and known vulnerabilities are stopped at the proxy layer
  • Zero behavior change — developers and AI agents keep using their tools as usual. There is nothing new to learn or remember.
  • Free tier, no signup required — start protecting your project immediately

This matters because the protection works regardless of what initiates the install. A human developer, a Copilot suggestion, an autonomous Devin task, a CI pipeline — they all go through the same registry endpoint. You do not need to integrate with each AI tool individually. You protect the install path once, and everything upstream is covered.

For teams running AI agents at scale

Individual developers get protection from the proxy rules. Teams get visibility and control.

Dashboard

See every package install across your organization. Which packages were blocked, which triggered warnings, and which passed clean. When an AI agent tries to install something suspicious at 2 AM, you see it in the morning.

Audit logs

Full audit trail of every package request. Searchable, filterable, exportable. Useful for compliance (SOC 2, ISO 27001) and for incident response when you need to know exactly what was installed and when.

Rule configuration

Customize which rules are active, whether they block or warn, and set thresholds. Some teams block all packages published in the last 7 days. Others use 30 days. Some block install scripts outright. The rules adapt to your risk tolerance.

Email alerts

Get notified when packages are blocked. Security teams do not need to monitor a dashboard — they receive an email with the package name, the rule that triggered, and the full context of the request.

This is not theoretical

The attacks nproxy's rules are built to catch are not hypothetical. They have happened, repeatedly, to some of the most popular packages in the npm ecosystem:

  • event-stream (2018) — Maintainer transferred publish access to a stranger who injected a malicious dependency targeting Bitcoin wallets. 2 million weekly downloads. Undetected for two months.
  • ua-parser-js (2021) — Maintainer account compromised. Malicious versions shipped cryptominers and credential stealers. 24 million weekly downloads.
  • axios (2026) — North Korean threat group hijacked a maintainer account and published a RAT payload. 100 million weekly downloads. Live for two hours.

Each of these attacks would have been caught by nproxy's default rules. Not by a scanner that runs hours later. Not by a code review that may or may not notice a new dependency. At install time, before the malicious code executes.

Now multiply that attack surface by the number of AI agents running unsupervised installs across your organization. The window between dependency selection and code execution is collapsing. The only viable defense is enforcement at the point where packages enter your system.

Sources

Protect every install. One command.

Run this in your project directory and every package install — from humans and AI agents alike — flows through nproxy's security rules.

npx @nproxy/cli setup
Protect a repoRead the docs