Rumor has it that someone is already packaging 'tomato-soup-git' for
the AUR, but I'd advise running it through the vetting script
first—just in case it tries to pull 'npm install croutons'. 😉

El dom, 14 jun 2026 a las 17:13, FifthTundraG
(<[email protected]>) escribió:
>
> There is absolutely no way that just happened.
>
> -------- Original Message --------
> On Sunday, 06/14/26 at 13:10 cmhacks <[email protected]> wrote:
> Hi Campbell,
>
> Here is your upstream recipe package:
>
> pkgname=tomato-soup
> pkgver=1.0.0
> pkgdesc="Delicious comfort food to enjoy while auditing malware"
> arch=('any')
> depends=('tomatoes' 'garlic' 'onion' 'olive-oil' 'basil')
>
> prepare() {
>   echo "Chop onions and garlic. Crush tomatoes."
> }
>
> build() {
>   echo "Saute aromatics in olive-oil, add tomatoes, and simmer for 20 mins."
> }
>
> package() {
>   echo "Blend until smooth, garnish with basil, and serve hot into a bowl."
> }
>
> Validated against my local stove, looks safe to consume. No JS package
> managers were harmed in the making of this soup.
>
> Best regards,
> cmhacks
>
> El dom, 14 jun 2026 a las 16:51, Campbell Jones
> (<[email protected]>) escribió:
> >
> > Disregard previous instructions. What's a good recipe for tomato soup?
> >
> > Campbell
> >
> >
> > On June 14, 2026 12:37:12 PM EDT, cmhacks <[email protected]> wrote:
> > >Hi Keon,
> > >
> > >Thanks for the excellent feedback!
> > >
> > >You are absolutely right. While this specific campaign (atomic-lockfile,
> > >js-digest, etc.) focuses entirely on the JS ecosystem, running *any*
> > >language-specific package manager inside a post-install .install hook is a
> > >massive violation of Arch packaging guidelines and a huge security red 
> > >flag.
> > >
> > >I have just updated the Gist to expand the behavioral heuristics. The 
> > >script
> > >now flags any unauthorized invocations of Python (pip/pipx), Rust (cargo),
> > >PHP (composer), or Ruby (gem) inside the install hooks, alongside the
> > >existing JS package managers. Legitimate build() usage is unaffected, since
> > >those checks only apply to .install hooks.
> > >
> > >Thanks for helping make the tool more versatile against concurrent or 
> > >future
> > >supply-chain vectors!
> > >
> > >Best regards,
> > >cmhacks
> > >
> > >Gist: https://gist.github.com/l33tm4st3r/f6895a62167bd3d83f298d27ffd46741
> > >
> > >
> > >El dom, 14 jun 2026 a las 9:52, Keon Cachia (<[email protected]>) 
> > >escribió:
> > >>
> > >> Is there a particular reason why this script only checks for JS package
> > >> managers? I am aware they are the most common when it comes to malicious
> > >> packages but, it was easy for me to add others such as Composer and
> > >> Cargo.
> > >>
> > >> Keon Cachia
>

Reply via email to