Hi Thomas, First of all, thank you for what you're doing, it looks amazing! Second, I'm not a maintainer, just a mere user. As a mere user, I'd love to have some kind of cli tool, that could scan package for me before I build/install it. Third, I'm not sure how Atomdrift works, but the code of AUR itself is also open and probably you might see a way how to integrate scanning into the pipeline? Like when someone committs an update to a package, it runs thru Atomdrift.
Best, Pasha Pasha Finkelshteyn Developer Advocate [image: Logo] <https://bell-sw.com/> Mobile: +49 1525 981-7123 Email: [email protected] bell-sw.com [image: facebook icon] <https://www.facebook.com/asm0dey> [image: twitter icon] <https://twitter.com/asm0di0> [image: linkedin icon] <https://www.linkedin.com/in/asm0dey> [image: instagram icon] <https://www.instagram.com/asm0dey> [image: telegram icon] <https://t.me/asm0dey> On Mon, 15 Jun 2026, 04:43 Thomas Stromberg, <[email protected]> wrote: > [resending as my e-mail yesterday went to the moderation queue] > > I've been building out an open-source platform for supply-chain detection > over the last 6 months, based on my previous work at Chainguard. While it's > still a work in progress, the recent attacks have tipped my hand, so here > it goes: https://atomdrift.org/ (Apache 2.0) > > TL;DR - We're building an automated local reverse-engineering and > detection platform, powered by tiny local deterministic AI models, > retrained constantly based on recent attacks and threat feeds. Because it > uses other great open-source projects under the hood (tree-sitter, rizin, > etc) rather than just pattern matching, it's immune to most obfuscation > attacks. > > Atomdrift's detection is runnable via a simple rust CLI tool ( > https://codeberg.org/atomdrift/scan). No special hardware required. If > you have a local LLM, we support an optimized path for getting a second > opinion from it via --interpret that provides a summary and steers > confidence levels. > > While our training pipeline has been pulling from open-source marketplaces > for months, yesterday we just started scanning AUR updates rather than new > additions, and here's an example of what it looks like: > https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9 > > Here's a link to the Arch pipeline results: > https://lab.atomdrift.org/arch/ > > I built this to help open-source, and would love to figure out how I can > help ArchLinux with their supply chain issues - whether it's just > discussing ideas, making a sustainable alert pipeline to what is up and > running already, running the pipeline on your infra, or collaborating on > development. > > As atomdrift both emits scores and lets you tune for a specific > acceptable false-positive level, one idea for AUR could be automated review > or publishing delay based on confidence levels. > > The compute-side runs on Arch, btw. > Thomas >
