Supply Chain Security
How eBPF-Based Egress Monitoring Would Have Caught the Shai-Hulud npm Worm in Real-Time

September 2025 marked a watershed moment for supply chain security when the Shai-Hulud worm became the first self-replicating malware to propagate through the npm ecosystem. This post examines how Qpoint's eBPF-based data-in-motion security would have detected this attack at the moment of compromise.
Devin Bernosky
Devin Bernosky
September 26, 2025
How eBPF-Based Egress Monitoring Would Have Caught the Shai-Hulud npm Worm in Real-Time

September 2025 marked a watershed moment for supply chain security when the Shai-Hulud worm became the first self-replicating malware to successfully propagate through the npm ecosystem. While the security community's rapid response limited damage, the attack exposed a critical blind spot: organizations had no visibility into what their backend systems were actually sending to the internet. This post examines how Qpoint's eBPF-based data-in-motion security would have detected this attack at the moment of compromise.

The Attack: A Self-Propagating Supply Chain Nightmare

On September 14, 2025, at 17:58 UTC, the npm ecosystem faced something unprecedented. Unlike previous supply chain attacks that required manual intervention, the Shai-Hulud worm contained autonomous propagation capabilities. Starting from a single compromised package ([email protected]), the worm spread to over 500 packages within 48 hours.

The worm's operation was elegantly malicious:

  1. Execute during npm install via postinstall hooks
  2. Harvest credentials using TruffleHog to scan for AWS keys, npm tokens, and GitHub PATs
  3. Exfiltrate credentials to webhook.site endpoints
  4. Use stolen npm tokens to automatically publish infected versions of all packages the account controlled
  5. Create GitHub repositories containing the stolen credentials for redundant exfiltration

Major packages compromised included @ctrl/tinycolor, multiple @crowdstrike namespace packages, and dozens of @nativescript-community packages, affecting millions of weekly downloads.

The Blind Spot: Why Traditional Security Missed It

The Shai-Hulud worm exploited a fundamental gap in enterprise security architecture. Most organizations have sophisticated security stacks, yet none of their tools could see what was happening:

  • Network monitoring saw encrypted TLS connections to webhook.site but couldn't inspect the payload
  • Endpoint detection logged npm installations but didn't correlate them with outbound connections
  • Cloud security platforms scan configurations periodically, missing real-time credential theft
  • Container security focused on vulnerabilities and misconfigurations, not runtime data flows

The core issue? All these tools operate at the wrong layer. By the time network traffic is encrypted or logs are generated, the critical context is already lost.

Enter eBPF: Kernel-Level Visibility Changes Everything

eBPF (extended Berkeley Packet Filter) operates directly in the Linux kernel, providing visibility at the exact point where applications hand data to the network stack—before TLS encryption occurs. This positioning enables something previously impossible: seeing inside encrypted connections while maintaining zero performance impact.

Here's what Qpoint's eBPF-based egress monitoring would have observed during the Shai-Hulud infection:

Detection Point 1: Credential Exfiltration

When the worm's postinstall script executed, eBPF would have captured:

  • Process context: npm install → node → postinstall script
  • Connection details: Outbound HTTPS to webhook.site
  • Payload content: AWS credentials, npm tokens, GitHub PATs (before encryption)
  • Behavioral anomaly: Package installation sending credentials to external domain

This combination—a package manager sending authentication tokens to webhook.site—is never legitimate. Detection would be instant and unambiguous.

Detection Point 2: Worm Propagation Attempts

As the worm attempted to spread, eBPF would have observed:

  • Node.js process making authenticated calls to api.npmjs.org
  • POST requests to /package/ endpoints (publishing new versions)
  • npm authentication tokens in the request headers
  • Critical pattern: Package installation publishing new packages

Detection Point 3: Cloud Secret Harvesting

The worm's attempts to enumerate cloud secrets would trigger immediate detection:

  • Connections to secretsmanager.us-east-1.amazonaws.com
  • Connections to secretmanager.googleapis.com
  • AWS and GCP credentials in request payloads
  • Suspicious pattern: npm process accessing cloud secret stores

The Power of Process-to-Network Attribution

The key advantage of eBPF-based monitoring is complete process lineage. You don't just see that webhook.site received data; you see the entire chain:

npm install @ctrl/tinycolor
  └── spawns: node (PID 4892)
      └── executes: postinstall.js
          └── connects to: webhook.site
              └── sends: AWS_ACCESS_KEY=AKIA...

This attribution is crucial. Many applications legitimately connect to external services, but a package installation process should never:

  • Send credentials to webhook domains
  • Publish new npm packages during installation
  • Query cloud secret management APIs
  • Create GitHub repositories with credential data

Real-Time Classification: Seeing Secrets in Motion

Qpoint's Qscan classification engine uses a hybrid approach combining deterministic pattern matching with machine learning to identify sensitive data in real-time:

  • AWS Access Keys: AKIA[0-9A-Z]{16} patterns
  • npm Tokens: npm_[a-zA-Z0-9]{36} format
  • GitHub PATs: ghp_[a-zA-Z0-9]{36} structure
  • API Keys: High-entropy strings with known prefixes

This classification happens on your infrastructure, analyzing the data before it's encrypted and leaves your network. The moment Shai-Hulud attempted to exfiltrate its first credential, the attack would be detected.

Why Speed Matters: The Detection Timeline

With Qtap's eBPF monitoring, the Shai-Hulud detection timeline would look like this:

  • T+0 seconds: npm install executes malicious postinstall
  • T+2 seconds: First webhook.site connection detected
  • T+2.5 seconds: Credentials identified in outbound payload
  • T+3 seconds: Behavioral anomaly flagged (npm → webhook.site with secrets)
  • T+5 seconds: Automated alerts sent to team for triage

Compare this to the actual timeline where the worm operated undetected for hours, spreading to 500+ packages before discovery.

Beyond Detection: Quantifying Supply Chain Risk

Qpoint doesn't just detect attacks—it continuously quantifies your supply chain risk by maintaining a real-time inventory of:

  • Every third-party service your backend systems connect to
  • What type of data flows to each service
  • Which processes initiate these connections
  • When new, unexpected connections appear

For Shai-Hulud, this would mean:

  • Immediate identification of webhook.site as a new, suspicious third party
  • Classification showing credentials being sent (critical risk)
  • Process attribution revealing npm packages as the source
  • Automated risk scoring flagging this as highest priority

The Fundamental Shift: From Perimeter to Data-Centric Security

The Shai-Hulud worm demonstrates why the future of security is data-centric rather than perimeter-centric. In modern cloud-native environments:

  • There is no perimeter—workloads run everywhere
  • Encryption is ubiquitous—you can't inspect network traffic
  • Attacks originate from within—via compromised dependencies
  • Speed is critical—attacks propagate in seconds, not hours

Qpoint's eBPF-based data-in-motion security addresses all these challenges by:

  • Operating wherever Linux runs (cloud, containers, VMs)
  • Capturing data before encryption at the kernel level
  • Providing complete process-to-network visibility
  • Enabling real-time detection and response

Lessons for Security Teams

The Shai-Hulud attack offers clear lessons for security teams:

  1. You can't secure what you can't see. If you don't know what data your systems are sending to which third parties, you're flying blind.
  2. Process context is critical. A connection to webhook.site might be suspicious; npm sending credentials there is definitely an attack.
  3. Real-time matters. The worm spread to 500+ packages in 48 hours. Detection after the fact is failure.
  4. Supply chain attacks are data exfiltration attacks. The goal isn't to break your system—it's to steal your credentials and data.
  5. Traditional tools weren't built for this. Network monitoring, SIEM, and cloud security platforms all have their place, but they can't see inside encrypted backend data flows.

The Path Forward

The September 2025 npm attacks weren't the first supply chain compromises, and they won't be the last. As attackers evolve from simple package poisoning to self-replicating worms, our security architectures must evolve too.

Qpoint's eBPF-based data-in-motion security represents this evolution—providing the kernel-level visibility needed to see what's actually happening in your production environment. It fills the critical gap existing tools can't address: what sensitive data is flowing from your backend systems to the internet, right now.

The Shai-Hulud worm proved that sophisticated supply chain attacks can propagate faster than human response times. The question for security teams is simple: Do you have visibility into your data in motion, or are you waiting for the next webhook.site to appear in your logs—after the damage is done?

In a world where every dependency is a potential threat vector, the ability to see and classify data in motion is the foundation for supply chain defense. The kernel doesn't lie, and with Qpoint, neither does your security posture.