[resending as my e-mail yesterday went to the moderation queue]

I've been building out an open-source platform for supply-chain detection
over the last 6 months, based on my previous work at Chainguard. While it's
still a work in progress, the recent attacks have tipped my hand, so here
it goes: https://atomdrift.org/ (Apache 2.0)

TL;DR - We're building an automated local reverse-engineering and detection
platform, powered by tiny local deterministic AI models, retrained
constantly based on recent attacks and threat feeds. Because it uses other
great open-source projects under the hood (tree-sitter, rizin, etc) rather
than just pattern matching, it's immune to most obfuscation attacks.

Atomdrift's detection is runnable via a simple rust CLI tool (
https://codeberg.org/atomdrift/scan). No special hardware required. If you
have a local LLM, we support an optimized path for getting a second opinion
from it via --interpret that provides a summary and steers confidence
levels.

While our training pipeline has been pulling from open-source marketplaces
for months, yesterday we just started scanning AUR updates rather than new
additions, and here's an example of what it looks like:
https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9

Here's a link to the Arch pipeline results: https://lab.atomdrift.org/arch/

I built this to help open-source, and would love to figure out how I can
help ArchLinux with their supply chain issues - whether it's just
discussing ideas, making a sustainable alert pipeline to what is up and
running already, running the pipeline on your infra, or collaborating on
development.

As atomdrift both emits scores and lets you tune for a specific acceptable
false-positive level, one idea for AUR could be automated review or
publishing delay based on confidence levels.

The compute-side runs on Arch, btw.
Thomas

Reply via email to