A runtime security approach to detecting supply chain attacks

In September 2025 the npm ecosystem was hit by a large supply-chain campaign (Shai-Hulud) that injected an infostealer with worm-like propagation into 500+ packages via post-install scripts and CI/CD token exfiltration; the malware runs TruffleHog to harvest credentials, exfiltrates data to a webhook, and attempts to publish infected package versions to spread. The report emphasizes CI/CD/self-hosted runner compromise via stolen tokens and demonstrates runtime detection using Datadog Workload Protection (eBPF-based sensors and SECL rules) to create execution contexts that correlate tactics and surface coherent compromise stories.