# Hide Secrets from AI Agents and NPM install using Airgap > Source: > Published: 2026-06-19 20:24:59+00:00 We let AI agents read and write files in our projects, and we install skills or plugins from the internet. npm malware steals secrets at install time. The AI agents run commands and install npm packages too, and sometimes those packages are hallucinated or malicious. `airgap` is a wrapper that runs a program inside namespaces. Sensitive secrets in files are hidden from AI agents. Agents can still work with the files, but they never see the real values. Package managers are gated: you get asked before they try to access a file they’re not supposed to. **Linux only.** macOS support is work in progress. Your secrets sit in plain files like `.env` , `~/.ssh` , and `~/.npmrc` . These days we, or our AI agents, run a lot of untrusted code that might read them. Two ways that happens: **AI agents.** An agent like `claude` or `opencode` reads through your project and home directory, and everything it reads might be sent to a model provider. A `.env` value or an SSH key can land in a prompt without you noticing. A malicious plugin or skill can grab sensitive files on purpose. **npm packages.** Malicious npm packages aren’t new, but the recent wave is very successful and spreads fast. A dependency can add a `preinstall` or `postinstall` hook that runs arbitrary code when you install it, and that code goes after your `.env` files, SSH keys, and cloud credentials. Campaigns like **Shai-Hulud**, **Miasma**, **pgserve**, and the fake ** tanstack** package all do the same thing: run on install, grab secrets, send them out. Some also leave persistent bad state behind. And an agent will run `npm install` on a package it made up, which is a name attackers now register ahead of time (slopsquatting).The clearest example is [ Shai-Hulud](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/), a self-replicating worm that spread through npm in late 2025. When you install a compromised package, its hook looks for credentials in `.npmrc` (npm tokens), environment variables, and config files holding GitHub PATs and cloud keys for AWS, GCP, and Azure. It sends them to the attacker.With a stolen npm token, it republishes backdoored versions of the other packages that developer maintains, so every install of those spreads it again. The [2.0 campaign](https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/) in late 2025 moved the code to `preinstall` , which also affects CI/CD pipelines. These malware only work if they can steal your secrets from disk. `airgap` is meant to prevent that. When it reads `.env` , a private key, or `~/.npmrc` , it gets back redacted content. Any other unexpected file, like `~/.aws/credentials` , asks for your permission first. `.env` , etc.)`.npmrc` )In your project and home directories. We’re adding more and more. `airgap` spawns the target program in a new mount and user namespace, and mounts your home directory and the current working directory (if different from the home one) as a FUSE filesystem. Every filesystem access goes through airgap’s handler. From there we redact secrets, or ask you to confirm the program was supposed to access that file. Install from [crates.io](https://crates.io/crates/airgap): ``` cargo install airgap airgap [args...] ``` `airgap` has a program allowlist, with special rules for each program. Currently supported: `claude` , `opencode` — run with redaction only.`npm` — runs with redaction `~/.gitconfig` , `node_modules` , and lockfiles are pre-approved.More tools will be added. If you want support for another program, [open an issue](https://github.com/xtuc/airgap/issues). `.env` files: ``` bash $ cat .env API_KEY=sk-live-9f8c2a1b4e7d DB_PASSWORD=hunter2 $ airgap cat .env API_KEY= DB_PASSWORD= ``` The file stays readable and editable for AI agents, just the secrets are hidden from them. When running `npm` under `airgap` , the install hooks run but each new file read triggers a prompt: ``` bash $ airgap npm install bad-package airgap: allow reading /home/sven/.ssh/id_rsa? [y/N] n airgap: blocked /home/sven/.ssh/id_rsa added 42 packages in 2s ``` A `postinstall` script that tries to read `~/.ssh/id_rsa` gets caught and denied. The install keeps going, and the hook gets nothing. Normal reads like `package.json` , lockfiles, and the npm cache are pre-approved, so you only get prompted for files that aren’t expected. ``` bash $ airgap claude > show me ./.env contents Read 1 file Here's the file: DATABASE_URL="" API_KEY="" AWS_SECRET_ACCESS_KEY="" ``` The agent works on the real files but only sees redacted secrets. To always run your agent or package manager under `airgap` , add aliases to your shell config (`~/.bashrc` , `~/.zshrc` , …): ``` alias claude="airgap claude" alias opencode="airgap opencode" alias npm="airgap npm" ``` Now `npm install` and your agents run inside `airgap` without you thinking about it. `airgap` is one layer, not a guarantee. It will miss things, and the attacks keep changing. Contributions welcome! If you find a hole, a program it should support, or a secret it should redact, [open an issue](https://github.com/xtuc/airgap/issues) and help make it better. For anything security related, email [[email protected]](/cdn-cgi/l/email-protection#57363e25303627172436223b3236227934383a).