HN Showcase
Back to browse
GitHub Repository

Behavioral hidden-cryptominer detector for Linux in eBPF — flags processes talking to mining-pool ports while spoofing kernel-thread names. No signatures, no agent, no cloud. CO-RE portable.

3 starsJavaScript

Poolnarc – catch hidden Linux cryptominers from two eBPF hooks

by r3tr0·Jun 1, 2026·5 points·1 comment
Visit ProjectView on HN

AI Analysis

●●SolidWizardryBig Brain

eBPF behavioral detection catches miners spoofing thread names without signature databases.

Strengths
  • Kernel-boundary eBPF hooks catch mining traffic without any agent or cloud dependency.
  • CO-RE portable means it runs across Linux kernels without recompilation.
  • Behavioral questions (port + lying process name) beat lagging signature databases.
Weaknesses
  • Linux-only and requires kernel 5.5+, excluding older infrastructure.
  • Falco, Tracee, and EDR tools already cover behavioral security monitoring.
Category
Security
Target Audience

Linux sysadmins, security engineers, incident responders

Similar To

Falco · Tracee · CrowdStrike

Similar Projects

Developer Tools●●●Banger

Live, system-wide USB transfer sniffer in eBPF

eBPF-based USB sniffer bypasses usbmon entirely using universal URB hooks for zero-setup debugging.

WizardrySolve My ProblemDark Horse
r3tr0
9018d ago
AI/MLMid

OmniClaw – An autonomous AI swarm that runs natively on Termux

Kernel-level AI agents on Android, but half-baked security model and unclear differentiation.

Bold BetShip It
anon89745
113mo ago
Security●●Solid

Rust EDR Agent for Linux with eBPF and macOS

Rust EDR with eBPF on Linux competes against CrowdStrike and Wazuh.

WizardryNiche Gem
irqlevel
102mo ago