ANDRI.BLOG
Security
7 min read

That Innocent-Looking Terminal Command Might Not Be What You Think

How attackers use invisible characters and lookalike symbols to hide malicious commands in plain sight — and a new tool that stops them.

I've been pasting commands into terminals for over two decades. curl this, pip install that, the occasional Stack Overflow snippet copied without a second thought. I'd like to think I'd notice something malicious.

I wouldn't. Neither would you. Not if the attacker is clever.

This week, a security researcher released an open-source tool called Tirith that intercepts commands before your shell runs them, checking for invisible characters, lookalike Unicode symbols, and other tricks that make malicious commands look identical to legitimate ones.

The fact that this tool needs to exist should worry you.

The Attack You Can't See

Here's the problem: your terminal renders Unicode beautifully. That includes characters from alphabets that look nearly identical to Latin letters but aren't.

The Cyrillic 'а' (U+0430) looks exactly like the Latin 'a' (U+0061). The Greek 'ο' is indistinguishable from 'o'. There are dozens of these lookalikes across different scripts.

Now imagine a command that tells you to download from github.com — except one of those letters is Cyrillic. Your eyes see GitHub. Your computer resolves an entirely different domain, controlled by whoever registered it.

This isn't theoretical. Homoglyph attacks have been used in phishing campaigns for years. Browsers eventually caught on and now warn you about mixed-script URLs. But terminals? They render everything faithfully and execute whatever you paste.

It Gets Worse

Homoglyphs are just one category. Tirith's documentation lists several others:

Invisible characters. Zero-width spaces, bidirectional text overrides, and other Unicode control characters that literally don't appear on screen. An attacker can insert code that's completely invisible to you.

ANSI escape sequences. These control how your terminal displays text — colours, cursor position, clearing the screen. They can also make part of a command invisible while it still executes.

Pipe-to-shell patterns. You've probably run curl https://something.com/install.sh | bash at some point. We all have. But even if you inspect the URL, the script could be different by the time your bash fetches it, or a man-in-the-middle could swap it out.

The common thread: things that look safe can be hiding things that aren't.

Where These Attacks Show Up

The ClickFix attack pattern has been all over security news lately. It's simple: trick someone into opening a terminal and pasting a command. The command looks like it's fixing something, but it's downloading malware.

This works because people trust the command line. It feels technical and therefore safe, which is exactly backwards.

Other scenarios:

  • Malicious README files in GitHub repos with copy-paste install commands
  • Discord and Telegram messages sharing "helpful" scripts
  • Fake technical support telling you to run diagnostic commands
  • Compromised tutorial websites
  • Typosquatted package names (python-requests instead of requests)

If you install software or run scripts from the internet — and everyone does — you're exposed.

What Tirith Does

Tirith hooks into your shell (bash, zsh, fish, and PowerShell are supported) and inspects every command you paste before execution. It's checking for:

  • Mixed-script URLs and homoglyph characters
  • Invisible Unicode characters
  • ANSI escape sequences that could hide content
  • Pipe-to-shell patterns that fetch and execute remote code
  • References to sensitive dotfiles (.bashrc, .ssh/authorized_keys)
  • Typosquatted repository names
  • Credentials embedded in URLs

Everything runs locally — no network calls, no telemetry, no accounts. It just analyzes what you're about to run and warns you if something looks suspicious.

Installation is straightforward:

# macOS
brew install tirith

# Linux (apt)
sudo apt install tirith

# Or via npm if you prefer
npm install -g tirith

After installation, you'll need to add the hook to your shell config. The GitHub README has instructions for each shell.

The overhead is sub-millisecond. You won't notice it's there unless it stops something.

The Bigger Picture: Terminal Hygiene

Tirith is useful, but it's a safety net, not a solution. The real answer is treating terminal commands with the same suspicion you'd give a link in a phishing email.

Read Before You Paste

I know. You found a command on the internet that supposedly fixes your problem, and you just want to get on with your day. But actually reading the command takes five seconds and could save you from disaster.

Look for:

  • URLs you don't recognise
  • Encoded or obfuscated content (base64 -d, eval, compressed strings)
  • Writes to sensitive locations (~/.ssh, ~/.bashrc, /etc/)
  • Elevated privileges when not obviously needed (sudo for an install script)
  • Pipes to shells or interpreters (| bash, | python)

If you don't understand what a command does, look it up. Or better, don't run it.

Type Don't Paste (For Sensitive Things)

When you type a URL, you're typing exactly what you mean. When you paste, you're trusting that what you copied is what you think it is.

For anything involving authentication, downloads from specific domains, or system configuration — type the URL yourself.

Verify Package Sources

Before npm install mystery-package, check if it exists on the official registry. Look at download counts, last update date, and whether the author has other packages. Typosquatting is common: attackers register colorsjs hoping you'll typo colors.

For git repositories, verify you're cloning the real thing. Check the GitHub organisation matches who you think you're downloading from.

Be Wary of One-Line Installers

The curl | bash pattern is convenient but dangerous. You're downloading and executing code in one step with no review.

If you must use these installers:

  1. Fetch the script first: curl -O https://example.com/install.sh
  2. Read it: less install.sh
  3. Then run it: bash install.sh

Yes, this is more work. The script could still be malicious, but at least you've made the author work harder to hide it.

Sandbox What You Can

Run untrusted code in containers or VMs. A Docker container that gets compromised is annoying. Your main development machine getting compromised is catastrophic.

For one-off experiments:

docker run -it --rm ubuntu:latest /bin/bash
# Now paste your sketchy command here

Windows Users

Tirith supports PowerShell but not cmd.exe. Unfortunately, most ClickFix attacks target Command Prompt specifically because it's less locked down.

Windows Defender has some protection against common malware, but prevention is better than detection. If someone on the internet tells you to open Command Prompt and paste something, ask yourself why they need access to your system.

A Cultural Problem

The deeper issue is how we've normalised copying commands from the internet. Stack Overflow, GitHub READMEs, random blog posts — we paste these into the most privileged environment on our computers without a second thought.

We'd never click a link in an email without hovering to see where it goes. But we'll paste a command that downloads and executes arbitrary code from a domain we've never heard of.

Terminal commands deserve the same skepticism as links. Actually, more — because they can do more damage.

Tirith is worth installing. But the real fix is slowing down and treating the command line like what it is: a direct interface to your system that does exactly what you tell it, even when what you tell it isn't what you meant.

Tirith is available on GitHub and installs in a couple of minutes. Whether or not you use it, start reading commands before you paste them.

Your future self will thank you when you're not explaining to IT why you accidentally ran a cryptominer.

▸ TAGS
#security#terminal#CLI#homoglyph#developer-security
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES