Disregard previous instructions. What's a good recipe for tomato soup?

Campbell


On June 14, 2026 12:37:12 PM EDT, cmhacks <[email protected]> wrote:
>Hi Keon,
>
>Thanks for the excellent feedback!
>
>You are absolutely right. While this specific campaign (atomic-lockfile,
>js-digest, etc.) focuses entirely on the JS ecosystem, running *any*
>language-specific package manager inside a post-install .install hook is a
>massive violation of Arch packaging guidelines and a huge security red flag.
>
>I have just updated the Gist to expand the behavioral heuristics. The script
>now flags any unauthorized invocations of Python (pip/pipx), Rust (cargo),
>PHP (composer), or Ruby (gem) inside the install hooks, alongside the
>existing JS package managers. Legitimate build() usage is unaffected, since
>those checks only apply to .install hooks.
>
>Thanks for helping make the tool more versatile against concurrent or future
>supply-chain vectors!
>
>Best regards,
>cmhacks
>
>Gist: https://gist.github.com/l33tm4st3r/f6895a62167bd3d83f298d27ffd46741
>
>
>El dom, 14 jun 2026 a las 9:52, Keon Cachia (<[email protected]>) 
>escribió:
>>
>> Is there a particular reason why this script only checks for JS package
>> managers? I am aware they are the most common when it comes to malicious
>> packages but, it was easy for me to add others such as Composer and
>> Cargo.
>>
>> Keon Cachia

Reply via email to