Homograph attacks have long been associated mainly with web browsers and domain name systems, but the same Unicode tricks are increasingly dangerous in command line environments. A new cross-platform tool called Tirith, created by developer Sheeki, brings homograph protection directly into shells and terminals — one of the most critical yet least protected components of modern developer and administrator workflows.
Homograph attacks and Unicode spoofing: how the threat works
Homograph attacks abuse homoglyphs — characters that look the same or almost the same, but belong to different alphabets or Unicode code points. For example, in many fonts the uppercase “I” and lowercase “l” are nearly indistinguishable, and the Cyrillic “О” (U+041E) is visually identical to the Latin “O” (U+004F).
Attackers register domains where legitimate Latin characters are silently replaced by similar-looking Cyrillic, Greek or other Unicode symbols. To the naked eye, the URL appears authentic, but the user is actually redirected to an attacker-controlled server. This class of risks is well documented in ICANN guidance and in the standard Unicode UTS #39: Unicode Security Mechanisms, which explicitly highlights mixed scripts as a serious vector for phishing and impersonation.
While modern browsers implement defenses such as Punycode display, script-mixing checks and stricter Internationalized Domain Name (IDN) policies, the same level of scrutiny is rarely applied outside the browser — especially in terminals and command line tools that developers rely on every day.
Why terminals and command lines are a blind spot for homograph attacks
Most terminal emulators and shells still render Unicode, ANSI escape sequences and even invisible control characters without warnings or security checks. Any URL or domain embedded in a shell command is usually shown exactly as-is, regardless of whether it contains suspicious script mixing or deceptive look-alike characters.
In practice, this is a major weakness. Developers, DevOps engineers and administrators constantly copy and paste commands from documentation, GitHub repositories, Stack Overflow, technical blogs and chat messages. A seemingly harmless one-liner used to install a package or fetch a script can easily hide a spoofed URL or contain logic that is not obvious on a quick visual inspection.
This environment is fertile ground for targeted phishing and supply chain attacks. If an attacker compromises documentation, a README, or a pastebin snippet, they can quietly replace a legitimate domain with a Unicode homograph and rely on users to execute the command in their own privileged environments.
Tirith: cross-platform command line protection against malicious URLs
Tirith is designed as a lightweight interception layer between the user and the shell. It integrates with popular shells — zsh, bash, fish and PowerShell — and examines every command that is typed or pasted before it is executed. When Tirith detects a URL containing suspicious characters or script combinations indicative of a Unicode homograph attack, it blocks execution and prompts the user to review the command.
The project is released as open source and maintained on GitHub, with distribution through an npm package and other package managers. This approach enables independent code review, easier integration into CI/CD pipelines, and alignment with enterprise security policies that require transparency and auditable tooling.
Core security mechanisms and technical features of Tirith
According to the author, Tirith performs its analysis in less than a millisecond, so the additional security checks have negligible impact on terminal performance. The tool exits immediately after processing a command, does not run persistently in the background and does not modify user input.
Byte-level Unicode inspection. Tirith analyzes URLs at the level of Unicode code points, detecting mixtures of different scripts and the presence of visually confusable characters that are commonly abused in homograph attacks. This allows it to catch subtle spoofing that users are unlikely to spot manually.
Trust signal evaluation. Beyond raw character analysis, the tool considers structural properties of the domain and URL — such as unusual labels, suspicious TLD usage or misleading subdomain patterns — to flag potentially malicious links even when they differ from the legitimate domain by only one or two characters.
Pre-execution command analysis. Tirith can be used to evaluate the safety of commands before they run, which is particularly valuable for script review, secure coding guidelines, training labs and internal security documentation. Teams can validate that sample commands do not embed spoofed URLs before publishing them.
SHA-256-based logging for forensics. The tool maintains a log of executed commands and scripts, enriched with SHA-256 hashes. This supports forensic investigations and incident response by making it easier to reconstruct exactly which commands were run and to compare them against known-good versions.
Privacy model, limitations and use cases for Tirith in terminal security
All checks in Tirith are performed locally. The tool does not rely on cloud services, external APIs, user accounts or telemetry. For organizations with strict confidentiality requirements and restrictions on external dependencies in the development toolchain, this local-only design significantly reduces the trust surface.
However, Tirith currently has an important limitation: it does not integrate with cmd.exe, the classic Windows command prompt. This gap is notable because cmd.exe is often used in so-called ClickFix-style attacks, where attackers persuade users to manually paste and run prepared commands. PowerShell support mitigates part of this risk, but legacy environments that still depend heavily on cmd.exe remain exposed.
Tirith is particularly valuable for teams that frequently reuse commands from external sources. Any code snippet containing a URL — whether in a Dockerfile, an installation script or a CI configuration — is a potential target for homograph substitution, especially if the original content source has been compromised or tampered with in transit.
The tool also fits naturally into security education and cyber range environments. Training platforms, internal developer portals and university labs can integrate Tirith to demonstrate real homograph risks and enforce safer terminal practices, even when users have limited prior awareness of Unicode-based phishing techniques.
Supported platforms and deployment options
Tirith is designed as a truly cross-platform solution, with support for Windows, Linux and macOS. Installation is available through popular package managers including Homebrew, apt/dnf, npm, Cargo, Nix, Scoop and Chocolatey, as well as via a Docker image. This flexibility makes it straightforward to deploy across developer workstations, build servers and containerized environments.
Adopting Tirith does not replace fundamental security hygiene practices: users should still verify domain names carefully, enable Punycode display in browsers where appropriate, restrict shell privileges, and rely on strong authentication and least-privilege principles. However, adding an automated layer that inspects Unicode and URLs directly in the terminal significantly reduces the likelihood that a barely visible character swap in a command will lead to system compromise. Organizations that depend heavily on command line workflows should consider integrating tools like Tirith as part of a broader strategy to harden their development and operations environments against modern phishing and spoofing attacks.
