AI coding agents
Block malicious packages in Claude Code and other AI agents
Your coding agent runs npm install and pip install on its own, at machine speed, and decides what to install from text an attacker can write. A system prompt telling it to be careful is not a security control. A deterministic firewall underneath it is: Dependency Guardian sits at the install chokepoint and refuses a malicious package before its bytes reach the package manager.
npm install -g @westbayberry/dg && dg setup
Writes PATH shims for npm, pip, yarn, pnpm, uv and cargo. Add dg hook claude-code for a PreToolUse hook that catches installs an agent runs in its own subprocess.
An agent session is the best deployment surface registry malware has ever had
The agent installs without a human reading the package name, at whatever speed the task demands, and it picks what to install based on text: the task prompt, a README it fetched, an error message, a skill file someone published. Text is exactly the thing an attacker controls. A human might install five packages on a bad day; an agent scaffolding a project installs fifty in a minute, each one a lottery ticket against the window between a malicious publish and its takedown.
You cannot prompt your way out of this
The tempting fix is a system prompt: verify packages before installing, never install suspicious software. It fails for a structural reason. Instructions and data arrive in the same channel; the attacker writes data, the model reads instructions, and the judge is the thing being attacked. The control has to be deterministic and it has to sit below the agent, at the install chokepoint, where no quantity of adversarial text can reach it. That is what the PATH shims and the blocking contract give you.
The same chokepoint enforces cooldown
Most registry malware is caught within days of publication. An agent that cannot install a version younger than your cooldown window skates past the majority of fresh-compromise incidents, including both Shai-Hulud waves, without any detector needing to fire at all. dg enforces cooldown at the same point it enforces the malware verdict.
What this does not cover: PATH shims intercept anything that resolves a package manager through PATH, which covers normal agent behavior, but a process that execs an absolute path like /usr/bin/pip goes around them. dg covers npm and PyPI, where nearly all of this attack activity lives; if your agent writes Go all day, it is not protected yet. A cold package dg has never analyzed is scanned at install time, which adds a few seconds to that one install.
Questions
How do I stop Claude Code from installing malicious packages?
Run dg setup after installing, which puts shims in front of npm, pip, yarn, pnpm and uv. Any install the agent runs through the shell is checked against a deterministic verdict, and a confirmed-malicious package is refused before its bytes are fetched. dg hook claude-code adds a PreToolUse hook for installs an agent runs in a subprocess that does not carry your shell shims.
Does this work with agents other than Claude Code?
Yes. The shims are agent-agnostic: Cursor, Copilot and the rest resolve npm and pip through PATH like anyone else, with no per-agent configuration. A dedicated hook ships for Claude Code today, with Cursor and Copilot next. The full write-up is here.
Is it free?
The CLI scanner is free with no signup. npm install -g @westbayberry/dg && dg setup is the whole thing. See the measured benchmark for the scanner's false-alarm rate, denominators shown.