Mac POC

What TURI does on Mac

Three common agent-driven attacks on a developer Mac — and what TURI does with factory settings vs the recommended secure baseline.

Three common agent-driven attacks on a developer Mac — and what TURI does with factory settings vs the recommended secure baseline.

Don't have TURI yet? Install first, then verify detection in the TURI dashboard. Getting started · Secure baseline (required for green-column outcomes) · POC scorecard for reviewers.

1.

Compromised npm install

Cursor or Claude Code runs npm install; a malicious package runs a postinstall script (node → osascript or outbound call).

What TURI does

Default install

  • Usually logs the chain and fires behavioral alerts — install often still completes.
  • Does not reliably block the attack chain without enabling the supply-chain gate.

Secure baseline

  • Can intercept npm/pnpm before scripts run (supply-chain gate).
  • Can block or prompt on suspicious postinstall chains when rules are promoted and enforce is on.

Try it

  1. 1Verify default policy mode
    Open TURI → Policy tab → check enforcement mode
  2. 2Run the test scenario via CLI
    turi test-scenario supply-chain
  3. 3Apply secure baseline, re-run, then check dashboard
    See /docs/secure-baseline

Proof

Default: you see alert-style detections in the dashboard. Baseline: you also see intercept/block events after hardening.

Open TURI dashboard → Session Replay → filter for supply-chain events
Full lab notes (prerequisites, extra commands)
  • TURI installed; ES + Network Extension approved
  • Optional: watch the Session Replay panel during the test

Baseline: enforcement mode enforce, supply-chain gate enabled — see /docs/secure-baseline

2.

Secrets then outbound call

An agent-spawned node or MCP tool reads a credential file, then curl or node reaches the internet.

What TURI does

Default install

  • May log file access and later link read → connect in the behavioral graph (async).
  • Blocking depends on enforce mode and whether the session is classified agentic.

Secure baseline

  • Can deny sensitive file open on agentic processes (file access governance).
  • Can quarantine the session and drop egress to domains on your blocklist.

Try it

  1. 1Run the secret exfiltration test scenario
    turi test-scenario secret-exfil
  2. 2Add a test domain to your blocklist
    TURI → Policy tab → add test domain to blocked domains
  3. 3Verify in dashboard
    Open TURI dashboard → Session Replay → look for file read + network events

Proof

You see file/network events; with enforce + blocked_domains you should see deny/quarantine signals.

Open TURI dashboard → filter for exfiltration detections
Full lab notes (prerequisites, extra commands)
  • Use test files only
  • Enforcement mode: enforce for sync file deny

Add test domain to blocked_domains in policy

3.

AI app spawns node/python without governance

The IDE spawns node, python, or uv directly — no governance proxy in the parent chain — so installs and scripts run without review.

What TURI does

Default install

  • In monitor or observation mode: logs and smart alerts; often no execution block.
  • This is the main path teams feel as 'the agent ran something and I only found out after.'

Secure baseline

  • With enforce + observation off: process governance can deny ungoverned runners from signed AI parents.
  • Governed execution puts governance in the chain for installs and exec.

Try it

  1. 1Confirm enforce mode is active
    TURI → Policy tab → verify enforcement mode
  2. 2From IDE terminal: bare node (ungoverned)
    node -e "console.log('turi-lab-ungoverned')"
  3. 3Same idea via governed path
    See TURI docs for governed execution setup

Proof

Ungoverned: execution block under enforce. Governed: allow with lineage in dashboard.

Open TURI dashboard → filter for governance events
Full lab notes (prerequisites, extra commands)
  • Policy lists your IDE as an AI agent process
  • Observation mode OFF for a real deny test
4.

MCP tool reads secrets then phones home

A rogue or compromised MCP server tool reads local credentials (SSH keys, .env, AWS config) then makes an outbound HTTP call to exfiltrate data.

What TURI does

Default install

  • Logs MCP tool execution and file access; may fire behavioral alert on read→connect chain (async).
  • Does not reliably block egress without enforce mode and a blocklist in place.

Secure baseline

  • File access governance denies sensitive file open from MCP-class processes.
  • Network extension drops egress to blocklisted domains; behavioral chain quarantines the session.

Try it

  1. 1Run the MCP exfiltration test scenario
    turi test-scenario mcp-exfil
  2. 2Apply secure baseline, re-run, check dashboard
    See /docs/secure-baseline

Proof

Default: behavioral alert for read→connect chain. Baseline: file access denied or network drop + quarantine signal.

Open TURI dashboard → Session Replay → MCP events
Full lab notes (prerequisites, extra commands)
  • TURI installed; ES + Network Extension approved
  • Optional: watch Session Replay during the test

Add test domain to blocked_domains in policy

5.

Prompt injection triggers local file modification

A malicious prompt injection causes the AI agent to call a tool that writes to a sensitive file (SSH config, policy JSON) or spawns an unauthorized script.

What TURI does

Default install

  • Logs file write and exec events; smart alerts may fire if process is classified agentic.
  • No sync block without enforce mode — the write or exec completes.

Secure baseline

  • Process governance denies ungoverned script spawn from AI parent process.
  • File access governance blocks writes to security-sensitive paths.

Try it

  1. 1Confirm enforce mode is active
    TURI → Policy tab → verify enforcement mode
  2. 2Run the prompt injection test scenario
    turi test-scenario prompt-injection

Proof

Enforce: execution blocked or file write denied. Monitor: detection alert + agent self-modification rule fire.

Open TURI dashboard → filter for governance + self-modification events
Full lab notes (prerequisites, extra commands)
  • Policy lists your IDE as an AI agent process
  • Observation mode OFF for a real deny test

enforcement_mode enforce; observation mode off

Out of scope on Mac

Not a Mac scenario

In-cluster preemptive kill

A cloud agent execs into a pod and kills a process before shell decoding — SentinelOne-style LiteLLM narrative.

  • Not in scope: TURI is a macOS endpoint, not a Kubernetes runtime.

Coverage matrix →