We let AI agents read and write files in our projects, and we install skills or plugins from the internet. npm malware steals secrets at install time. The AI agents run commands and install npm packages too, and sometimes those packages are hallucinated or malicious.
airgap
is a wrapper that runs a program inside namespaces. Sensitive secrets in files are hidden from AI agents. Agents can still work with the files, but they never see the real values. Package managers are gated: you get asked before they try to access a file they’re not supposed to.
Linux only. macOS support is work in progress.
Your secrets sit in plain files like .env
, ~/.ssh
, and ~/.npmrc
. These days we, or our AI agents, run a lot of untrusted code that might read them. Two ways that happens:
AI agents. An agent like claude
or opencode
reads through your project and home directory, and everything it reads might be sent to a model provider. A .env
value or an SSH key can land in a prompt without you noticing. A malicious plugin or skill can grab sensitive files on purpose.
npm packages. Malicious npm packages aren’t new, but the recent wave is very successful and spreads fast. A dependency can add a preinstall
or postinstall
hook that runs arbitrary code when you install it, and that code goes after your .env
files, SSH keys, and cloud credentials. Campaigns like Shai-Hulud, Miasma, pgserve, and the fake ** tanstack** package all do the same thing: run on install, grab secrets, send them out. Some also leave persistent bad state behind. And an agent will run
npm install
on a package it made up, which is a name attackers now register ahead of time (slopsquatting).The clearest example is Shai-Hulud, a self-replicating worm that spread through npm in late 2025. When you install a compromised package, its hook looks for credentials in
.npmrc
(npm tokens), environment variables, and config files holding GitHub PATs and cloud keys for AWS, GCP, and Azure. It sends them to the attacker.With a stolen npm token, it republishes backdoored versions of the other packages that developer maintains, so every install of those spreads it again. The 2.0 campaign in late 2025 moved the code to preinstall
, which also affects CI/CD pipelines.
These malware only work if they can steal your secrets from disk. airgap
is meant to prevent that. When it reads .env
, a private key, or ~/.npmrc
, it gets back redacted content. Any other unexpected file, like ~/.aws/credentials
, asks for your permission first.
.env
, etc.).npmrc
)In your project and home directories. We’re adding more and more.
airgap
spawns the target program in a new mount and user namespace, and mounts your home directory and the current working directory (if different from the home one) as a FUSE filesystem. Every filesystem access goes through airgap’s handler. From there we redact secrets, or ask you to confirm the program was supposed to access that file.
Install from crates.io:
cargo install airgap
airgap <program> [args...]
airgap
has a program allowlist, with special rules for each program. Currently supported:
claude
, opencode
— run with redaction only.npm
— runs with redaction ~/.gitconfig
, node_modules
, and lockfiles are pre-approved.More tools will be added. If you want support for another program, open an issue.
.env
files:
$ cat .env
API_KEY=sk-live-9f8c2a1b4e7d
DB_PASSWORD=hunter2
$ airgap cat .env
API_KEY=<redacted value>
DB_PASSWORD=<redacted value>
The file stays readable and editable for AI agents, just the secrets are hidden from them.
When running npm
under airgap
, the install hooks run but each new file read triggers a prompt:
$ airgap npm install bad-package
airgap: allow reading /home/sven/.ssh/id_rsa? [y/N] n
airgap: blocked /home/sven/.ssh/id_rsa
added 42 packages in 2s
A postinstall
script that tries to read ~/.ssh/id_rsa
gets caught and denied. The install keeps going, and the hook gets nothing.
Normal reads like package.json
, lockfiles, and the npm cache are pre-approved, so you only get prompted for files that aren’t expected.
$ airgap claude
> show me ./.env contents
Read 1 file
Here's the file:
DATABASE_URL="<redacted value>"
API_KEY="<redacted value>"
AWS_SECRET_ACCESS_KEY="<redacted value>"
The agent works on the real files but only sees redacted secrets.
To always run your agent or package manager under airgap
, add aliases to your shell config (~/.bashrc
, ~/.zshrc
, …):
alias claude="airgap claude"
alias opencode="airgap opencode"
alias npm="airgap npm"
Now npm install
and your agents run inside airgap
without you thinking about it.
airgap
is one layer, not a guarantee. It will miss things, and the attacks keep changing. Contributions welcome! If you find a hole, a program it should support, or a secret it should redact, open an issue and help make it better.
For anything security related, email [email protected].