{"slug": "hide-secrets-from-ai-agents-and-npm-install-using-airgap", "title": "Hide Secrets from AI Agents and NPM install using Airgap", "summary": "Airgap, a new Linux tool, wraps programs in namespaces to hide secrets from AI agents and block npm malware that steals credentials at install time. It redacts sensitive files like .env and SSH keys from agents and gates package manager file access, preventing attacks like the Shai-Hulud worm.", "body_md": "We let AI agents read and write files in our projects, and we install skills or plugins from the internet. npm malware steals secrets at install time. The AI agents run commands and install npm packages too, and sometimes those packages are hallucinated or malicious.\n\n`airgap`\n\nis a wrapper that runs a program inside namespaces. Sensitive secrets in files are hidden from AI agents. Agents can still work with the files, but they never see the real values. Package managers are gated: you get asked before they try to access a file they’re not supposed to.\n\n**Linux only.** macOS support is work in progress.\n\nYour secrets sit in plain files like `.env`\n\n, `~/.ssh`\n\n, and `~/.npmrc`\n\n. These days we, or our AI agents, run a lot of untrusted code that might read them. Two ways that happens:\n\n**AI agents.** An agent like `claude`\n\nor `opencode`\n\nreads through your project and home directory, and everything it reads might be sent to a model provider. A `.env`\n\nvalue or an SSH key can land in a prompt without you noticing. A malicious plugin or skill can grab sensitive files on purpose.\n\n**npm packages.** Malicious npm packages aren’t new, but the recent wave is very successful and spreads fast. A dependency can add a `preinstall`\n\nor `postinstall`\n\nhook that runs arbitrary code when you install it, and that code goes after your `.env`\n\nfiles, SSH keys, and cloud credentials. Campaigns like **Shai-Hulud**, **Miasma**, **pgserve**, and the fake ** tanstack** package all do the same thing: run on install, grab secrets, send them out. Some also leave persistent bad state behind. And an agent will run\n\n`npm install`\n\non a package it made up, which is a name attackers now register ahead of time (slopsquatting).The clearest example is [ Shai-Hulud](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/), a self-replicating worm that spread through npm in late 2025. When you install a compromised package, its hook looks for credentials in\n\n`.npmrc`\n\n(npm tokens), environment variables, and config files holding GitHub PATs and cloud keys for AWS, GCP, and Azure. It sends them to the attacker.With a stolen npm token, it republishes backdoored versions of the other packages that developer maintains, so every install of those spreads it again. The [2.0 campaign](https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/) in late 2025 moved the code to `preinstall`\n\n, which also affects CI/CD pipelines.\n\nThese malware only work if they can steal your secrets from disk. `airgap`\n\nis meant to prevent that. When it reads `.env`\n\n, a private key, or `~/.npmrc`\n\n, it gets back redacted content. Any other unexpected file, like `~/.aws/credentials`\n\n, asks for your permission first.\n\n`.env`\n\n, etc.)`.npmrc`\n\n)In your project and home directories. We’re adding more and more.\n\n`airgap`\n\nspawns the target program in a new mount and user namespace, and mounts your home directory and the current working directory (if different from the home one) as a FUSE filesystem. Every filesystem access goes through airgap’s handler. From there we redact secrets, or ask you to confirm the program was supposed to access that file.\n\nInstall from [crates.io](https://crates.io/crates/airgap):\n\n```\ncargo install airgap\nairgap [args...]\n```\n\n`airgap`\n\nhas a program allowlist, with special rules for each program. Currently supported:\n\n`claude`\n\n, `opencode`\n\n— run with redaction only.`npm`\n\n— runs with redaction `~/.gitconfig`\n\n, `node_modules`\n\n, and lockfiles are pre-approved.More tools will be added. If you want support for another program, [open an issue](https://github.com/xtuc/airgap/issues).\n\n`.env`\n\nfiles:\n\n``` bash\n$ cat .env\nAPI_KEY=sk-live-9f8c2a1b4e7d\nDB_PASSWORD=hunter2\n\n$ airgap cat .env\nAPI_KEY=\nDB_PASSWORD=\n```\n\nThe file stays readable and editable for AI agents, just the secrets are hidden from them.\n\nWhen running `npm`\n\nunder `airgap`\n\n, the install hooks run but each new file read triggers a prompt:\n\n``` bash\n$ airgap npm install bad-package\n\nairgap: allow reading /home/sven/.ssh/id_rsa? [y/N] n\nairgap: blocked /home/sven/.ssh/id_rsa\n\nadded 42 packages in 2s\n```\n\nA `postinstall`\n\nscript that tries to read `~/.ssh/id_rsa`\n\ngets caught and denied. The install keeps going, and the hook gets nothing.\n\nNormal reads like `package.json`\n\n, lockfiles, and the npm cache are pre-approved, so you only get prompted for files that aren’t expected.\n\n``` bash\n$ airgap claude\n\n> show me ./.env contents\n\n Read 1 file\n\nHere's the file:\n\nDATABASE_URL=\"\"\nAPI_KEY=\"\"\nAWS_SECRET_ACCESS_KEY=\"\"\n```\n\nThe agent works on the real files but only sees redacted secrets.\n\nTo always run your agent or package manager under `airgap`\n\n, add aliases to your shell config (`~/.bashrc`\n\n, `~/.zshrc`\n\n, …):\n\n```\nalias claude=\"airgap claude\"\nalias opencode=\"airgap opencode\"\nalias npm=\"airgap npm\"\n```\n\nNow `npm install`\n\nand your agents run inside `airgap`\n\nwithout you thinking about it.\n\n`airgap`\n\nis one layer, not a guarantee. It will miss things, and the attacks keep changing. Contributions welcome! If you find a hole, a program it should support, or a secret it should redact, [open an issue](https://github.com/xtuc/airgap/issues) and help make it better.\n\nFor anything security related, email [[email protected]](/cdn-cgi/l/email-protection#57363e25303627172436223b3236227934383a).", "url": "https://wpnews.pro/news/hide-secrets-from-ai-agents-and-npm-install-using-airgap", "canonical_source": "https://sauleau.com/notes/airgap-security-for-the-modern-ai-age.html", "published_at": "2026-06-19 20:24:59+00:00", "updated_at": "2026-06-19 20:38:16.271299+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools"], "entities": ["Airgap", "npm", "Shai-Hulud", "Miasma", "pgserve", "tanstack", "Claude", "OpenCode"], "alternates": {"html": "https://wpnews.pro/news/hide-secrets-from-ai-agents-and-npm-install-using-airgap", "markdown": "https://wpnews.pro/news/hide-secrets-from-ai-agents-and-npm-install-using-airgap.md", "text": "https://wpnews.pro/news/hide-secrets-from-ai-agents-and-npm-install-using-airgap.txt", "jsonld": "https://wpnews.pro/news/hide-secrets-from-ai-agents-and-npm-install-using-airgap.jsonld"}}