Claude installs npm packages by itself, and the wrong one can take your files

Claude’s Computer Use feature can do something an ordinary chatbot cannot. It can open a terminal on your computer and install software on your behalf, including packages pulled straight from npm, the world’s largest registry of open-source code. The appeal is obvious, since it turns «set this project up for me» into a single sentence. The exposure is the same sentence, because the moment a package arrives, npm can run whatever startup code that package brought with it, and now it is an autonomous agent pulling the trigger.

For anyone who lets an AI agent write or run code, and that is a fast-growing group of developers, hobbyists and curious non-programmers, the practical question is blunt. If Claude installs a package you never looked at, and that package was built to copy your files the instant it lands, who was supposed to catch it? A security researcher’s recent video walks through exactly that situation, showing a booby-trapped package reading local files during a routine install that the AI carried out without hesitating.

The mechanism is not new, which is precisely what makes it serious. npm packages are allowed to declare install scripts, small instructions that run automatically the moment a package is added to a project, before a single line of it is ever used on purpose. This is documented behavior rather than a flaw. It lets legitimate tools compile themselves or prepare their environment. It also means any package can execute code on your machine at install time, with the same permissions you have, and security teams have warned about it for years.

The wider world got a sharp reminder of the stakes when attackers seized the maintainer account behind Axios, a networking library downloaded tens of millions of times a week, and slipped in a malicious dependency that installed a remote-access trojan on developers’ machines. They never touched the real Axios code. The install script did the work. Axios happens to be a building block inside Claude Code itself, alongside countless other applications, which shows how little distance separates the tool you trust from the code it quietly pulls in behind it.

What the demonstration adds to that familiar picture is the agent. A person running an install at least has the option to pause, read the package name, notice that it is misspelled or freshly published, and back out. An AI agent acting on a loose instruction has no such reflex. It installs what it decides it needs. And because Computer Use can also read the screen, move the cursor and type, one poisoned dependency does not stay trapped inside the code editor. It has the run of the whole desktop.

It is worth being precise about what this is and what it is not. It is not a hidden backdoor unique to Claude, and it is not proof that the model was tricked into ignoring its own rules. It is the predictable result of giving any autonomous program the power to install software, combined with a registry that has executed install code by default for more than a decade. Swap Claude for any other coding agent with the same permissions and the picture looks identical. The danger lives in the autonomy and the registry, not in one company’s chatbot.

Anthropic has, if anything, been building in the opposite direction. The company recently shipped sandboxing for its coding tools that walls the agent off from the rest of the system, limiting which files it can read and which servers it can reach, and released the underlying isolation toolkit as open source for other developers. The reasoning is the one the demo exposes. An agent that cannot reach your SSH keys cannot leak them, and an agent that cannot contact an unknown server cannot ship your files anywhere. The company says those boundaries cut the permission prompts it shows users by roughly 84 percent, which matters because a tool that asks about everything quickly trains people to click yes.

For the people actually using these tools, the defenses are dull and effective. Run the agent inside a sandbox, a container or a throwaway virtual machine, so the worst a bad package can reach is a disposable environment. Switch off automatic install scripts where the workflow allows it, something a few newer package managers now do by default. Keep credentials, keys and personal files off the machine where an agent has free rein. And treat «install this for me» with the caution you would give to «open this email attachment,» because underneath it is closer to that than it feels.

The specific package in the demonstration is one researcher’s proof rather than a live outbreak, and there is no sign it reached real users. The pattern behind it is the part that will not stay contained. Agentic coding is becoming the default faster than the habits meant to keep it safe, and the registries these agents lean on were never built for a world where the thing typing the install command is not a person. Until that gap closes, the oldest rule in software security now points at a new kind of user: whatever your agent installs, it runs, so decide what it is allowed to touch before you let it start.