Your AI Coding Assistant Is Now a Supply Chain Attack Surface
Cursor agents install npm, pip, cargo, and Go packages on your behalf. That’s new attack surface. poc hook intercepts every install before it runs.
There used to be a human in the loop when a new dependency entered your project. You typed npm install. You chose the package. You (maybe) checked the publisher count. Then the Shai-Hulud worm happened.
On May 19, 2026, a compromised npm account published 637 malicious package versions in 39 minutes. The worm propagated autonomously, harvested credentials from 80+ environment variables, and installed persistence across three different hooks: .claude/settings.json, .vscode/tasks.json, and a background daemon polling GitHub every 60 seconds for signed commands.
It specifically targeted AI coding environments. Not as an afterthought—as the primary persistence vector.
The new attack surface
When you type npm install, there’s a decision point. Most people pause, check what they’re installing, maybe look at weekly downloads or the GitHub repo. That pause is where human judgment used to live.
AI agents don’t pause. When Cursor decides your project needs axios, it runs npm install axios and moves on. When it scaffolds a Python project, it runs pip install litellm requests in one shot. There’s no friction, no second look.
That’s not an argument against using AI coding assistants. It’s an argument for putting the gate somewhere the agent can’t bypass it.
How poc hook works
Cursor exposes a beforeShellExecution hook: a JSON-configured script that intercepts shell commands before they run and returns allow, ask, or deny with a message.
poc hook installs a script into that hook. It parses the incoming command, identifies package install patterns across all four major ecosystems, calls the Commit API to score each package, and makes a decision—all in under 500ms so it doesn’t interrupt normal flow.
poc hook # project-local (.cursor/hooks.json)
poc hook --global # all Cursor projects (~/.cursor/hooks.json)What it intercepts:
| Package manager | Example |
|---|---|
| npm / npx | npm install axios |
| pnpm | pnpm add lodash |
| yarn | yarn add chalk |
| pip / uv | pip install litellm |
| cargo | cargo add serde |
| go | go get github.com/gin-gonic/gin |
When a CRITICAL package is detected—sole publisher, >10M weekly downloads, the exact attack surface that got LiteLLM and axios compromised—the hook blocks the install and shows the agent why:
🔴 Commit blocked: axios is flagged CRITICAL by Commit supply chain scoring.
🔴 axios (score 86/100) — CRITICAL: sole npm publisher, 99M/week
→ Review: https://getcommit.dev/audit?packages=axios&ecosystem=npm
Package install blocked. The agent should use a safer alternative
or get explicit user approval.The agent gets the context it needs to explain to you what happened and why. You stay in control of the decision.
The Shai-Hulud context
The May 2026 supply chain attack was unusual in its specificity toward AI tooling. Targeting .claude/settings.json wasn’t random—it’s where Claude Code loads its SessionStart hooks. The attacker understood that a Claude Code hook running at session start has the same access as the AI assistant itself: filesystem, shell, network.
The packages most at risk during that attack were the ones that scored worst behaviorally before it happened: sole publishers, stale release histories, high download volumes. Three of the five non-AntV packages were sole-publisher. Two had no release in over a year.
npm audit showed zero vulnerabilities on all of them the day before the attack.
Behavioral signals saw it coming. Process-based signals didn’t.
Why the hook belongs in the IDE, not just CI
CI gates catch packages after they’re already in your lock file. The poc hook catches them before npm install completes—before anything hits disk, before the package is in your tree.
For human developers, that distinction is mostly philosophical: you can always delete a package. For AI agents operating at speed across multiple dependencies, the window between “install command run” and “malicious code executed during postinstall” can be milliseconds.
The hook is the first gate on the default path. CI is the second. Both run; the hook runs first.
Setup in 30 seconds
# Install the CLI if you haven't already:
npm install -g proof-of-commitment
# Install the Cursor hook (project-local):
poc hook
# Optional: save a free API key first for higher rate limits
# poc login sk_commit_… (get one at getcommit.dev/get-started)
# To protect all Cursor projects:
poc hook --globalThe hook requires Node.js (already installed if you use Cursor). No separate dependency. No background process. It runs as a one-shot script each time Cursor’s agent issues a shell command.