AI coding assistants have fundamentally changed how developers work with open source software. They don't just suggest code; they autonomously select open source dependencies, modify package manifests, and execute install commands. This speed comes with a tradeoff: malicious packages can be introduced and executed before a developer even realizes what's happening.

Endor Labs has integrated with Cursor's new hooks system to address this gap. The integration inspects dependencies for malware at the exact moment an AI coding agent attempts to install them, preventing known malware from executing on developer machines.

The integration triggers when the Cursor agent runs commands like npm install or pip install. Endor Labs scans the targeted dependency against its malware intelligence database and blocks installation if threats are detected, all before any install scripts execute.

This creates an important pre-installation choke point where security tooling can intervene to prevent malware from compromising a developer’s machine. See it in action (and check out the examples repo):

OSS malware is a major software supply chain risk, and AI is now the custodian of the problem

Open source software malware is no longer rare. We hear about it in the news regularly. 

Empirical research analyzing malicious packages in the wild shows that attackers overwhelmingly target popular ecosystems with high install velocity and low human scrutiny. 

Studies have found that the number of reported malware advisories in the open source ecosystem is growing with attackers heavily targeting npm and the PyPI ecosystems.

A Time Series Analysis of Malware Uploads to Programming Language Ecosystems [PDF] by Ruohonen, Ukka et al found:

• Since 2022, as much as 84% of npm and 57% of PyPI entries in OSV have been about malware.
• The moving average of the share of issue advisories that are malware was shown to be around 50% during 2023 and most of 2024, but in early 2025, it had increased to 80%. This amount is almost twice the median of 41%.

Humans had to be conscious of the software they reused (or conscious that they were copy pasting without review). With the growing trust of AI, the same level of conscious decision-making no longer applies.

Install-time execution is the moment of risk

A significant portion of OSS malware executes at installation time via setup scripts, lifecycle hooks, or initialization logic. One mistaken dependency can compromise a developer's machine in an instant. In AI-assisted workflows, that mistake can be made automatically.

If an AI assistant adds a dependency to package.json or requirements.txt, the risk may be introduced immediately. When npm install or pip install runs, the malware may already be executing. Malicious packages initially deceive developers and users into downloading and installing them, and then execute behaviors such as implanting backdoors, stealing sensitive information, and downloading and executing payloads without user permission.

This is why pre-install interception matters.

In an ideal security world, each artifact is reviewed, approved, and regularly vetted. Controls should be in place, such as network proxy blocks of open source software repositories that force developers to use an artifact repository. Although artifact repositories have controls to prevent malware, they are often limited because they:

• Rely on consistent developer machine configuration for enforcement, an assumption that often breaks down across teams and environments.
• Cache dependencies to speed up installs, which can allow malicious artifacts to persist unless caches are explicitly cleared or revalidated.
• Proxy artifacts from public package registries, so new or first-seen dependencies may enter the system before undergoing organization-specific security review.

And in fact, many enterprises still don’t use artifact repositories across all their environments.

The reality is that only the most mature organizations live above the ‘'security poverty line’', and an ideal world for the security team is often not the reality we live in. But perfect shouldn't get in the way of better.

The IDE as a security choke point and how Cursor hooks enable enforcement

Cursor's hook model formalizes what has quietly become true: the IDE is now a primary choke point where unvetted code enters the system. 

Cursor's hook system creates a security choke point before installation and execution occur. Hooks allow AI-initiated actions to be intercepted and inspected at critical moments, including:

• Before a dependency is installed
• After an AI generates a diff in a manifest file

AI agents can execute shell commands, modify manifests, fetch dependencies, and chain actions together autonomously. If an agent decides to install a global package with a malicious post-install script, a developer workstation can be compromised instantly.

A beforeShellExecution hook can trigger when an AI assistant attempts to install a dependency, giving security tooling a chance to scan, evaluate, and block malicious packages before code executes. This shifts malware defense from incident response to prevention, but only if the detection intelligence is comprehensive enough to catch threats public databases miss.

Why detection quality matters

A hook is only as effective as the intelligence behind it. If security tooling relies solely on public malware feeds, it will miss a significant portion of threats.

Research shows the detection gap is substantial. An Analysis of Malicious Packages in Open-Source Software in the Wild by Ohm, M., Zhou, Y., et al. found that:

• At the time of data collection, approximately 60% of identified malicious open-source packages were classified as available, meaning they could be retrieved either from primary package registries or from unsynchronized registry mirrors, while the remaining ~40% were unavailable due to registry removal or short persistence windows.
• Limited industry-wide and industry–academia collaboration on OSS malware data results in fragmented reporting and gaps in the coverage of publicly available advisory datasets.

Endor Labs addresses these gaps by curating malware intelligence beyond public feeds. This includes packages that have been removed from registries, behavioral indicators that suggest malicious intent, and threats not yet documented in centralized advisories. When a beforeShellExecution hook triggers, the scan evaluates against this broader threat database, catching malware that would otherwise slip through.

Guardrails for the agentic era

The core lesson of software security still applies: trust, but verify. AI-assisted development demands that verification be faster.

Cursor hooks enable verification and enforcement at the moment of risk. Platforms like Endor Labs supply the intelligence to evaluate dependencies, detect malicious indicators, and apply policy consistently. Together, they allow AI-augmented development to move fast without pretending risk disappeared.

Book a demo to learn more about managing risk in the agentic era of software development.