integrations

Cursor

Integrate brin with Cursor hooks to automatically scan packages installed by AI agents

Cursor's hooks system lets you intercept and control agent actions. By using the beforeShellExecution hook, you can automatically route all package installations through brin for security scanning.

Why Use Hooks?

When AI agents install packages autonomously, they don't verify package integrity or check for known vulnerabilities. This makes them vulnerable to:

Typosquatting - installing lodashs instead of lodash
Supply chain attacks - compromised packages like event-stream
Malicious install scripts - packages that execute code during installation

With brin hooks, every npm install, yarn add, pnpm add, or bun add command is intercepted and routed through brin first.

Prerequisites

brin CLI installed
Cursor IDE

Setup

Choose one of the two options below. The script-based approach is recommended for production use.

Option A: Script-Based Hook (Recommended)

This approach uses a bash script for fast, deterministic behavior.

1. Create the hooks configuration

Create .cursor/hooks.json in your project root:

JSON

{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "command": ".cursor/hooks/brin-gateway.sh",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

2. Create the hook script

Create .cursor/hooks/brin-gateway.sh:

Bash

#!/bin/bash
input=$(cat)
cmd=$(echo "$input" | jq -r '.command')
 
# Match install commands with packages
if [[ "$cmd" =~ ^(npm\ (i|install|add)|yarn\ add|pnpm\ (add|i)|bun\ (add|i))\ (.+)$ ]]; then
  pkg="${BASH_REMATCH[4]}"
  jq -n --arg p "$pkg" '{continue:true, permission:"deny", agent_message:"Use `brin add \($p)` instead."}'
elif [[ "$cmd" =~ ^(npm\ (uninstall|rm)|yarn\ remove|pnpm\ (rm|remove)|bun\ (rm|remove))\ (.+)$ ]]; then
  pkg="${BASH_REMATCH[4]}"
  jq -n --arg p "$pkg" '{continue:true, permission:"deny", agent_message:"Use `brin remove \($p)` instead."}'
else
  echo '{"continue":true,"permission":"allow"}'
fi

3. Make it executable and restart Cursor

Bash

chmod +x .cursor/hooks/brin-gateway.sh

Then restart Cursor to load the hook.

Option B: Prompt-Based Hook (Zero Code)

This approach uses Cursor's built-in LLM evaluation—no script needed. Trade-off: adds slight latency per command.

Create .cursor/hooks.json in your project root:

JSON

{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "type": "prompt",
        "prompt": "If this command installs a package (npm install <pkg>, yarn add <pkg>, pnpm add <pkg>, bun add <pkg>), deny and tell the agent to use 'brin add <package>' instead. Allow bare 'npm install' or non-install commands.",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

Restart Cursor to load the hook. No script file needed.

How It Works

When the Cursor agent tries to run a package install command:

100%

Agent attempts npm install express
Hook intercepts and denies the command
Hook tells the agent to use brin add express instead
brin scans the package for vulnerabilities
If safe, brin installs using your detected package manager

Command Mapping

The hook intercepts these commands and routes them through brin:

Original Command	brin Equivalent
`npm install pkg`	`brin add pkg`
`npm i pkg`	`brin add pkg`
`yarn add pkg`	`brin add pkg`
`pnpm add pkg`	`brin add pkg`
`bun add pkg`	`brin add pkg`
`npm uninstall pkg`	`brin remove pkg`
`yarn remove pkg`	`brin remove pkg`

Commands without specific packages (like npm install to install from package.json) are allowed through.

Testing the Integration

Ask Cursor to install a package:

Text

Install the express package

You should see the hook intercept the command and instruct the agent to use brin instead:

Bash

🔍 checking express@4.21.0...
✅ not sus
   ├─ publisher: expressjs (verified)
   ├─ downloads: 32M/week
   ├─ cves: 0
   └─ install scripts: none
📦 installed
📝 updated AGENTS.md docs index

Global Configuration

To apply brin hooks to all your projects, create the configuration in your home directory:

Bash

mkdir -p ~/.cursor/hooks

Create ~/.cursor/hooks.json:

JSON

{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "command": "./hooks/brin-gateway.sh",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

Then copy the hook script to ~/.cursor/hooks/brin-gateway.sh.

Troubleshooting

Hook not triggering

Verify the hook file exists at .cursor/hooks.json
Check that the script is executable: chmod +x .cursor/hooks/brin-gateway.sh
Restart Cursor after making changes
Check Cursor Settings > Hooks tab for debug info

Script errors

Test the script manually:

Bash

echo '{"command": "npm install express", "cwd": "/tmp"}' | .cursor/hooks/brin-gateway.sh

Expected output:

JSON

{"continue":true,"permission":"deny","agent_message":"Use `brin add express` instead."}

jq not found

The script requires jq for JSON parsing. Install it:

Bash

# macOS
brew install jq
 
# Ubuntu/Debian
sudo apt-get install jq
 
# Windows (with chocolatey)
choco install jq

On this page

Share feedback