Airgap wraps programs in Linux namespaces to hide sensitive files from AI agents and package managers. The tool intercepts filesystem access through FUSE, redacting secrets in .env files, SSH keys, and npmrc before any code can read them. It's a response to growing attacks where AI agents and malicious npm packages harvest credentials during routine development tasks.

Malicious npm packages have become a serious threat. Recent campaigns like Shai-Hulud use preinstall hooks to steal credentials and spread through CI/CD pipelines. These worms grab .npmrc tokens, environment variables, and cloud keys, then republish compromised versions of other packages the developer maintains. The attack spreads automatically because developers unknowingly install backdoored dependencies.

Airgap prevents this by mounting your home and project directories as a FUSE filesystem. When npm install runs, any attempt to access unexpected files triggers a permission prompt. AI agents like claude and opencode see redacted values instead of real secrets. Normal paths for package.json, lockfiles, and node_modules remain pre-approved to avoid constant interruptions.

Installation comes from crates.io. Users can add shell aliases for claude, opencode, and npm to automatically run them under airgap protection. The project welcomes contributions for additional program support and secret detection. While no security layer is perfect, airgap provides defense against credential theft during development workflows.