Hide Secrets from AI Agents and NPM install using Airgap

Sven Sauleau: Systems Engineer - airgap - Security for the modern AI age

airgap - Security for the modern AI age

The AI age

We let AI agents read and write files in our projects, and we install skills or plugins from the internet. npm malware steals secrets at install time. The AI agents run commands and install npm packages too, and sometimes those packages are hallucinated or malicious.

airgap is a wrapper that runs a program inside namespaces. Sensitive secrets in files are hidden from AI agents. Agents can still work with the files, but they never see the real values. Package managers are gated: you get asked before they try to access a file they’re not supposed to.

Linux only. macOS support is work in progress.

What airgap protects against

Your secrets sit in plain files like .env, ~/.ssh, and ~/.npmrc. These days we, or our AI agents, run a lot of untrusted code that might read them. Two ways that happens:

AI agents. An agent like claude or opencode reads through your project and home directory, and everything it reads might be sent to a model provider. A .env value or an SSH key can land in a prompt without you noticing. A malicious plugin or skill can grab sensitive files on purpose.

npm packages. Malicious npm packages aren’t new, but the recent wave is very successful and spreads fast. A dependency can add a preinstall or postinstall hook that runs arbitrary code when you install it, and that code goes after your .env files, SSH keys, and cloud credentials. Campaigns like Shai-Hulud, Miasma, pgserve, and the fake tanstack package all do the same thing: run on install, grab secrets, send them out. Some also leave persistent bad state behind. And an agent will run npm install on a package it made up, which is a name attackers now register ahead of time (slopsquatting).

The Shai-Hulud worm

The clearest example is Shai-Hulud, a self-replicating worm that spread through npm in late 2025. When you install a compromised package, its hook looks for credentials in .npmrc (npm tokens), environment variables, and config files holding GitHub PATs and cloud keys for AWS, GCP, and Azure. It sends them to the attacker.

With a stolen npm token, it republishes backdoored versions of the other packages that developer maintains, so every install of those spreads it again. The 2.0 campaign in late 2025 moved the code to preinstall, which also affects CI/CD pipelines.

How airgap would have stopped it

These malware only work if they can steal your secrets from disk. airgap is meant to prevent that. When it reads .env, a private key, or ~/.npmrc, it gets back redacted content. Any other unexpected file, like ~/.aws/credentials, asks for your permission first.

What it protects

secrets in files (.env, etc.)

SSH and PGP private keys

npm tokens (.npmrc)

In your project and home directories. We’re adding more and more.

How it works

airgap spawns the target program in a new mount and user namespace, and mounts your home directory and the current working directory (if different from the home one) as a FUSE filesystem. Every filesystem access goes through airgap’s handler. From there we redact secrets, or ask you to confirm the program was supposed to access that file.

Install

Install from crates.io:

cargo install airgap

Usage

airgap [args...]

airgap has a program allowlist, with special rules for each program. Currently supported:

AI agents — claude, opencode — run with redaction only.

Package manager — npm — runs with redaction and an interactive file gate. Benign paths like ~/.gitconfig, node_modules, and lockfiles are pre-approved.

More tools will be added. If you want support for another program, open an issue.

Secret redaction

.env files:

$ cat .env API_KEY=sk-live-9f8c2a1b4e7d DB_PASSWORD=hunter2

$ airgap cat .env API_KEY= DB_PASSWORD=

The file stays readable and editable for AI agents, just the secrets are hidden from them.

npm install file gate

When running npm under airgap, the install hooks run but each new file read triggers a prompt:

$ airgap npm install bad-package

airgap: allow reading /home/sven/.ssh/id_rsa? [y/N] n airgap: blocked /home/sven/.ssh/id_rsa

added 42 packages in 2s

A postinstall script that tries to read ~/.ssh/id_rsa gets caught and denied. The install keeps going, and the hook gets nothing.

Normal reads like package.json, lockfiles, and the npm cache are pre-approved, so you only get prompted for files that aren’t expected.

With an AI agent

$ airgap claude

> show me ./.env contents

Read 1 file

Here's the file:

DATABASE_URL="" API_KEY="" AWS_SECRET_ACCESS_KEY=""

The agent works on the real files but only sees redacted secrets.

Make it transparent with aliases

To always run your agent or package manager under airgap, add aliases to your shell config (~/.bashrc, ~/.zshrc, …):

alias claude="airgap claude" alias opencode="airgap opencode" alias npm="airgap npm"

Now npm install and your agents run inside airgap without you thinking about it.

No security layer is perfect

airgap is one layer, not a guarantee. It will miss things, and the attacks keep changing. Contributions welcome! If you find a hole, a program it should support, or a secret it should redact, open an issue and help make it better.

For anything security related, email [email protected].

Links

GitHub: https://github.com/xtuc/airgap

crates.io: https://crates.io/crates/airgap

Reach out

Say hello: [email protected].

Ping me on Twitter: @svensauleau.