Tirith: New Open-Source Tool Blocks Homoglyph Attacks

A Growing Attack Vector Gets a Defense

A new open-source tool called Tirith aims to tackle one of the more deceptive attack techniques in the security landscape: homoglyph attacks targeting command-line environments. Created by developer Sheeki and released this week, Tirith hooks directly into terminal shells to inspect pasted commands before they execute, catching malicious Unicode substitutions that are invisible to the human eye.

The tool addresses a significant blind spot in developer workflows. While browsers have implemented IDN homograph protections for years, terminal environments have remained largely unguarded against lookalike character attacks that can redirect package installations, script downloads, and repository clones to attacker-controlled infrastructure.

How Homoglyph Attacks Work

Homoglyph attacks exploit the visual similarity between characters from different Unicode alphabets. For example, a Cyrillic "i" (і) appears identical to a Latin "i" on screen but resolves to a completely different domain when used in a URL. This makes attacks nearly impossible to detect by visual inspection alone.

Common Attack Scenarios

In each case, the command looks legitimate to the developer but directs traffic to attacker-controlled resources. Supply chain attacks using these techniques have been on the rise, with typosquatted packages on npm, PyPI, and other registries appearing with increasing frequency.

What Tirith Detects

Tirith performs byte-level Unicode inspection on every command before execution, catching a range of threats beyond just homoglyphs:

• Unicode homograph attacks - Detects lookalike characters in domains and punycode URLs
• Terminal injection - Blocks ANSI escape sequences, bidirectional text overrides, and zero-width characters that can hide malicious commands
• Pipe-to-shell patterns - Flags dangerous curl | bash and wget | sh constructs
• Dotfile hijacking - Identifies attempts to manipulate shell configuration files
• Insecure transport - Warns when HTTP (non-TLS) URLs are used in shell commands
• Credential exposure - Detects passwords and tokens embedded in URLs

Platform Support

The tool is cross-platform and supports the most common shell environments:

Windows Command Prompt (cmd.exe) is notably excluded due to its limited hook capabilities.

Performance and Privacy

One of Tirith's key design decisions is that all analysis happens locally with no network calls. The tool adds sub-millisecond overhead to command execution, making it effectively transparent during normal use. There is no telemetry, no cloud connectivity, and no API keys required.

For auditability, Tirith generates SHA-256 audit receipts for executed scripts, providing a forensic trail of what was run and when.

The tool is available as an npm package and on GitHub under the Sheeki03 organization.

Defensive Recommendations

For Development Teams

1. Install Tirith on developer workstations - Especially for teams that regularly install packages or run scripts from external sources
2. Add to onboarding checklists - Make terminal security tooling part of standard developer environment setup
3. Review pipe-to-shell practices - Audit team workflows that use curl | bash patterns and replace with verified, checksummed downloads where possible
4. Enable clipboard inspection - Tirith's paste-time analysis is particularly valuable since many attacks rely on copy-paste from untrusted sources

For Security Teams

1. Evaluate for enterprise deployment - The local-only, no-network design makes it suitable for air-gapped and regulated environments
2. Combine with package registry monitoring - Pair terminal-level detection with upstream monitoring for typosquatted packages
3. Review Unicode policies - Consider restricting non-ASCII characters in CI/CD pipeline configurations

Sources

• BleepingComputer - New tool blocks imposter attacks disguised as safe commands
• Tirith on GitHub

Related Articles

• GitHub Supply Chain Attack via Malicious npm Packages
• CIS Controls Implementation Guide