Real-time npm install firewall for AI coding sessions that blocks supply-chain attacks before they hijack Claude Code, Codex, or VS Code.

1. The Mini Shai-Hulud attack (May 2026) demonstrated for the first time that AI coding session hooks are a viable persistence vector — 637 malicious package versions published in 22 minutes, each injecting hooks into Claude Code and Codex sessions on developer machines.
2. Millions of monthly downloads on compromised packages (size-sensor 4.2M, echarts-for-react 3.8M) mean the blast radius of a single npm account takeover now reaches a significant fraction of the global developer population.
3. The same Mini Shai-Hulud toolkit appeared in a prior SAP compromise three weeks earlier, confirming a persistent adversary group systematically targeting AI developer toolchains and likely to strike again.
4. A full cloud credential sweep (AWS, GCP, Azure, GitHub, Kubernetes, Vault, 1Password, Bitwarden) means a single infected npm install on a developer laptop is now equivalent to a full infrastructure compromise — a board-level incident that DevSecOps teams will budget to prevent.

Catalyst. The May 2026 Mini Shai-Hulud attack proved that AI coding sessions can be backdoored via npm and that the attack re-executes on every subsequent AI session — creating a new category of persistent developer-machine compromise that existing SCA tools cannot detect.

An AI-agent-aware package security platform with three layers: (1) a drop-in CLI shim that wraps npm and intercepts installs initiated by AI coding agents, checking publish velocity, account-takeover signals, and hook-file mutations before allowing installation; (2) a session-config monitor that watches AI session startup files for unauthorized modifications and alerts or rolls back changes; (3) a credential-scope daemon that issues short-lived, process-scoped cloud tokens to AI agent processes so even a fully compromised package cannot harvest long-lived AWS, GCP, or GitHub credentials. The platform returns verdicts in under 200 ms to avoid disrupting the AI coding workflow and integrates with existing SIEM and Slack alerting pipelines.

What's different. Existing SCA tools analyse dependency graphs and known vulnerability databases; none model the AI coding agent as an actor or monitor the session hook files those agents use as their configuration surface. This product's core IP is a real-time publish-velocity anomaly detector (catching the 22-minute 637-version burst pattern) combined with a hook-file integrity watcher tuned specifically to Claude Code, Codex, and VS Code AI extension configs. The credential-scope daemon layer is defensible because it requires deep integration with the developer's local keychain and cloud SDK credential chains — a moat built through onboarding friction that becomes stickiness over time.

Jobs to be done

flowchart LR
  DevLaptop["Developer Laptop\n(AI coding session)"]
  NPMShim["npm Shim\n(intercepts install)"]
  ProvenanceEngine["Provenance &\nVelocity Engine"]
  HookMonitor["Session Hook\nMonitor"]
  CredDaemon["Credential\nScope Daemon"]
  SIEM["SIEM / Slack Alert"]
  DevLaptop --> NPMShim
  NPMShim --> ProvenanceEngine
  ProvenanceEngine -->|clean| DevLaptop
  ProvenanceEngine -->|flagged| SIEM
  DevLaptop --> HookMonitor
  HookMonitor -->|unauthorized change| SIEM
  DevLaptop --> CredDaemon
  CredDaemon -->|scoped ephemeral token| DevLaptop

Executive takeaways

• The problem is real now: recent npm compromises moved beyond malicious packages into durable AI-session persistence on developer workstations.
• The wedge is narrow but timely: in-line install blocking plus hook-file integrity monitoring sits between legacy SCA and broader agent-governance platforms.
• Incumbents validate demand, but their current products are either repo-centric, proxy-centric, or enterprise-heavy rather than lightweight workstation controls.
• The biggest execution risk is false-positive friction; the biggest strategic risk is rapid bundling by Endor Labs or Socket.

Market definition

This market sits at the intersection of software supply-chain security, developer-workstation protection, and AI-agent governance. The near-term wedge is preventing malicious package installs and unauthorized edits to agent-session configuration files on developer laptops.

Customer and buyer

Primary buyers are platform security and DevSecOps leaders who own developer-laptop policy and AI-tool rollout. The day-to-day champion is usually the staff engineer or security engineer responsible for hardening Claude Code, VS Code, and CI workflows.

Buying triggers

• TanStack's postmortem turned .claude and .vscode inspection into an explicit incident-response task, converting a previously invisible risk into an operational checklist item. [2][47]
• Recent npm attacks showed that trusted publishing and provenance can still ship malicious artifacts when workflows or trust scopes are compromised. [3][14][15]
• Security teams are already budgeting for malicious open-source controls as malware advisories and confirmed incidents rise. [43]
• AI coding use is broad while AI-security maturity is low, so platform-security teams now have a visible control gap to close. [44][45]

Willingness to pay

Adjacent AppSec tools already train buyers to accept per-contributor pricing around $30 per month, while Endor and Socket package supply-chain controls into broader platforms. That supports budget for a narrower control if it demonstrably blocks incidents that existing seats miss. [37][39][41]

Category dynamics

Growth signal 13.6x increase in open-source malware advisories since January 2024

Validation signals

• TanStack explicitly told users to audit .claude and .vscode after compromise, proving the buyer already accepts this surface as security-relevant.
• The TanStack and AntV waves show malware persisting through hook and task-file writes rather than only through dependency trees.
• Endor and Socket both launched adjacent controls in the same market window, validating budget and urgency.
• Endor's malware report shows buyers now rank malicious OSS as a top 2026 priority and expect higher spend.

Regulatory & technical constraints

• Valid provenance statements and trusted publishing reduce some risks but do not prove code safety when attacker-controlled workflows are still trusted.
• Native Claude Code hooks are valuable but some exploit chains can begin before hook execution, so wrapper-level hardening is required.
• npm access tokens now enforce expiry and scoping, but CI and workflow tokens still create valuable install-time secrets on developer and build machines.
• VS Code tasks.json remains a separate persistence surface, so protecting Claude hooks alone is insufficient.

Endor Labs is the closest direct entrant because it combines hook-based agent governance with a package firewall. Socket is the strongest adjacent incumbent at the registry and proxy layer. Snyk and Semgrep remain the default substitute budgets for most buyers, while Chainguard is a prevention-layer alternative rather than a workstation-layer control.

Why incumbents do not win by default

• Native platform controls. GitHub and npm provide provenance, dependency, and secret-scanning primitives, but they do not monitor local AI-session config writes or stop malicious lifecycle scripts at the workstation edge.
• Broad SCA suites. Snyk and Semgrep sell into the same budget line, but their core posture is repo and CI scanning rather than in-line agent-session enforcement on developer machines.
• Proxy firewalls. Socket Firewall and Endor Package Firewall are closer substitutes, yet both emphasize proxy or enterprise deployment models more than lightweight local hook-file protection.
• Agent-governance platforms. Endor's agent-governance launch validates the category, but it also suggests buyers may prefer broad policy planes unless a focused product wins on deployment speed and workstation-specific detections.

npm AI Session Guard should start as a workstation-first control for AI-triggered npm installs, not as a broad software supply-chain suite. The first customer is a Series B-D software, infrastructure, or developer-tools company with 100-500 engineers, a formal Claude Code or Cursor rollout, and a platform-security team that owns managed developer-laptop policy. The buying trigger is usually a fresh npm compromise, internal red-team finding, or AI rollout review that exposes .claude and .vscode persistence as a control gap their current Snyk, Semgrep, or Socket spend does not close. Research supports a large category with an estimated $6.4B TAM, $960M beachhead SAM, and a modeled $9.6M year-3 SOM, but the company should pursue only the narrow wedge of audit-first npm interception plus hook-file integrity before expanding into broader agent governance or multi-registry policy. Product sequencing should begin with Claude Code and VS Code surfaces, default to audit mode, and earn the right to add blocking and credential scoping only after pilots prove low false positives and fast deployment. The strongest strategic asset is a differentiated workstation telemetry set around publish bursts, Bun-backed payloads, and unauthorized hook-file writes that legacy SCA tools do not collect. The biggest disconfirming risks are rapid bundling by Endor or Socket and the possibility that local blocking creates enough friction that engineers disable the product. Exact enterprise seat counts for AI coding tools and the real enforcement limits of managed hooks versus filesystem-level controls are still gaps in the inputs, so the first year must resolve those unknowns.

Problem

• AI-session-targeted npm attacks now persist by writing to .claude and .vscode files on developer machines, so one install can compromise every later coding session.
• Existing SCA, proxy, and repo-security tools mostly scan dependencies, CI, or registries and do not reliably stop agent-initiated local installs or unauthorized hook-file mutations.
• Security teams need a control they can deploy quickly across managed laptops without breaking legitimate package installs so often that developers bypass it.

Solution

• Ship a local-first npm shim that intercepts agent-initiated installs, scores publish-velocity bursts, provenance gaps, and known campaign fingerprints, and defaults to audit mode before selective blocking.
• Watch .claude and .vscode persistence surfaces for unauthorized writes, tie each mutation to the triggering package or process, and emit rollback plus SIEM-ready evidence.
• Add a credential-scope daemon after pilot trust is earned so AI-agent processes receive short-lived scoped cloud and Git credentials instead of full developer secrets.

Why we win

• The product is aimed at the exact workstation blind spot validated by TanStack and AntV style incidents, where buyers now recognize .claude and .vscode as security-relevant surfaces.
• A lightweight local shim plus managed deployment path gives faster proof than proxy-heavy or broader agent-governance platforms that require larger enterprise rollouts.
• Telemetry from blocked install bursts, Bun bootstrap patterns, hook-file writes, and override decisions can compound into a proprietary detection and policy dataset.

Milestones

flowchart LR
  Wedge[AI session npm wedge] --> MVP[Audit-first shim and hook monitor MVP]
  MVP --> Proof[Blocked payloads and trusted pilots]
  Proof --> Expansion[Credential scope and wider workstation policy]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least one-third of qualified beachhead accounts must treat workstation-level AI-session persistence as a funded control gap now rather than a future roadmap request.
• Audit-first pilots must produce actionable detections or blocked red-team payloads within 30 days without more than 15% of seats disabling or bypassing the product.
• The shim and hook monitor must stop recreated TanStack and AntV style payloads before persistence on supported environments.
• Customers must pay effective pricing above $20 per protected seat per month or above $50k annual ACV for production deployments of meaningful size.
• Endor, Socket, Snyk, and Semgrep must fail to neutralize the wedge before the startup establishes at least 10 production customers and a differentiated telemetry set.

Open diligence questions

• How many centrally managed Claude Code, Cursor, and Codex seats already exist in 100-500 engineer target accounts?
• Is managed-hook or MDM rollout enough to enforce the product before lifecycle scripts run, or is deeper endpoint control required?
• What false-positive and added-latency thresholds cause engineering teams to disable or bypass workstation controls?
• In a real bake-off, which detections are uniquely better than Endor, Socket, Snyk, or internal scripts?
• Can the company gather enough install and hook telemetry to improve detection while preserving the local-first privacy posture buyers expect?

Model sanity

• Revenue engine. Base-case revenue comes from landing 6 active accounts in Y1, converting that base into 12 active organizations by Q4Y2, and then expanding seats and premium modules to reach $2.1M of Y3 revenue.
• Must go right. The model needs audit-first pilots to stay below the 15% disablement threshold so conversions happen without building an implementation-heavy services bench.
• Model breaks if. The downside case shows that slower sales cycles plus lower ARPU can push cash slightly below zero before the next round even without a major hiring mistake.
• Next-round proof. The next financing case is strongest once the company shows 10-12 production customers, sub-30-day deployment, and repeatable attach of blocking or credential-scoping modules.

Scenarios

Sensitivity

flowchart LR
  Leads[Triggered target accounts] --> Pilots[Paid pilots]
  Pilots --> Customers[Production customers]
  Customers --> Revenue[Seat and module revenue]
  Revenue --> GrossProfit[Gross profit after hosting and support]
  GrossProfit --> Cash[Cash runway]

Flags: Base case is still EBITDA-negative in Y3, so the company likely needs a follow-on round before true breakeven. · Cash bottoms at only $290.1K, so a slower pilot-conversion curve or one large implementation-heavy customer would tighten runway quickly. · The model assumes incumbents do not compress pricing below roughly $8.5K-$10K monthly revenue per active organization once the wedge becomes more visible.

• Incumbent feature addition. Socket.dev or Snyk could add AI-session hook monitoring and publish-velocity detection as a feature within 6–12 months of this idea becoming public. Mitigation: Move fast to sign 10+ paying enterprise customers and build the credential-scope daemon before incumbents react; pursue exclusive data-sharing agreements with npm and AI tool vendors.
• False positive friction. Overly aggressive blocking of legitimate npm packages would destroy developer trust and cause platform security teams to disable the tool after a single false positive disrupts a production deploy. Mitigation: Launch in audit-only mode by default with a 30-day calibration period and invest heavily in false-positive rate as a key product metric published on a public accuracy dashboard.
• AI tool API fragmentation. Claude Code, Codex, Cursor, and future AI coding tools each have different session hook schemas and config file locations, creating ongoing maintenance burden as the market fragments. Mitigation: Open-source the hook-schema library to invite vendor contributions and prioritise Claude Code and VS Code for the first 12 months before expanding methodically to other tools.