Blog

Deep Dive · May 2026

What Happens When Cursor Runs npm install For You

You asked Cursor to add a library. It ran npm installautonomously. Here's the execution chain that fired on your machine — and why none of your existing security tools saw it.

The invisible chain

When you type “add react-query to this project” in Cursor, the AI agent doesn't just generate an import statement. It spawns a real process:

  1. Cursor's agent decides to call npm install @tanstack/react-query
  2. npm resolves the dependency tree — potentially hundreds of transitive packages
  3. Each package with a postinstall script runs arbitrary code: node, bash, python, whatever the author chose
  4. Those scripts can read files, spawn processes, make network connections — all under your user privileges

This entire chain happens in seconds. You approved “add a library.” You did not approve “run 47 postinstall scripts from packages I've never audited.”

What your tools see

Your EDR sees node spawning node. It doesn't know the first nodeis npm, the second is a postinstall script, and the initiator was an AI agent in Cursor. It's just processes.

Your SASThasn't scanned these packages yet — they were just installed. And even if it had, it scans source code in git, not runtime execution on your laptop.

npm auditchecks known CVEs in the registry. It doesn't analyze what postinstall scripts actually do at runtime. A package with zero CVEs can still curl your .env to an external server.

What TURI sees

TURI's Endpoint Security extension intercepts the entire chain at the OS level:

  1. Process spawn: Cursor → node (npm) — classified as agentic, tagged with parent IDE
  2. Transitive execution: npm → node (postinstall) — behavioral rule transitive_package_execution fires
  3. If postinstall reads secrets: File governor logs .env / .aws/credentials access
  4. If postinstall phones home: Network Extension catches the egress; behavioral chain secret_read_to_external_network fires

With the secure baseline:

  • The supply-chain install gate intercepts the npm call before postinstall scripts run — you get a DECIDE prompt
  • Ungoverned runners (raw node from npm) are blocked by ExecGovernor
  • Secret reads + egress from transitive packages trigger quarantine
The difference isn't monitoring. It's that TURI can block the postinstall script before it finishes — not alert you after your secrets are already exfiltrated.

Try it yourself

The npm supply-chain scenario in the docs walks through this exact chain with a safe test package. Run it in default mode, see the alerts. Apply the secure baseline, run it again, see the blocks. Check the proof commands.

That's the difference between an AI agent firewall and everything else: you don't have to trust the package, the agent, or the postinstall script. You verify what happened — or prevent it entirely.

Run the lab

See the npm supply-chain scenario in action. Default vs. baseline. Alerts vs. blocks.

npm scenario Install TURI