eBPF Archives

Winsage

May 11, 2026

Rustinel: Open-source endpoint detection for Windows and Linux

Open-source endpoint detection tools have typically been divided between Windows and Linux, with Windows solutions focused on Sysmon and Linux solutions on eBPF or auditd. Rustinel is a Rust-based endpoint agent that consolidates these efforts by gathering telemetry from both operating systems using ETW on Windows and eBPF on Linux, normalizing the data into a unified model. It evaluates the information against Sigma rules, YARA signatures, and atomic indicators of compromise, storing alerts in ECS-compatible NDJSON format for integration with SIEM or log-analysis platforms. Rustinel supports a range of events on Windows, including process creation, network activity, and PowerShell executions, while Linux support currently includes process, network, file, and DNS telemetry. It operates in user mode on both platforms, requiring specific conditions for installation. Unlike commercial EDR solutions that use kernel drivers, Rustinel's user-mode design prioritizes simplicity and stability, although it acknowledges limitations in tamper resistance and visibility. The agent utilizes three detection engines: Sigma for behavioral matching, YARA for scanning executables, and an IOC engine for deterministic checks. While it leverages existing content familiar to defenders, it has coverage gaps for certain advanced threats. Rustinel is available on GitHub under the Apache 2.0 license.

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

Winsage

November 5, 2024

Exploring eBPF for Windows: Opportunities and Limitations

The extended Berkeley Packet Filter (eBPF) allows for the execution of custom code in kernel space, enhancing application performance management and security. Windows has introduced support for eBPF, but it has limitations. Microsoft began a project in 2021 to enable eBPF capabilities on Windows, allowing the use of existing Linux eBPF tools and libraries. To install eBPF on Windows, a kernel debugger or test-signing mode is required, which is impractical for production systems. eBPF for Windows is still in development, suitable for experimentation, but not yet ready for real-world deployment. There is no clear timeline for a production-ready version, and development activity has slowed.

Winsage

October 11, 2024

eBPF Is Coming for Windows

The integration of eBPF into Microsoft Windows is being developed through a collaboration between the Internet Engineering Task Force (IETF) and Microsoft. Microsoft researchers are creating a version of eBPF for Windows that will allow developers to execute small programs directly within the Windows kernel using a programmable interface similar to Linux. This project is hosted on GitHub and has 43 contributors, primarily using C and some C++. The implementation will maintain bytecode compatibility with Linux eBPF and will include a comparable interpreter and just-in-time compiler. The IETF is also working on standardizing eBPF to ensure compatibility between Windows and Linux, focusing on solidifying the Instruction Set Architecture (ISA) and creating a specification for producing portable eBPF binaries through an Application Binary Interface (ABI).