Yeah, I wonder why it did
On Mon, Jun 15, 2026, 05:43 Thomas Stromberg <[email protected]> wrote: > [resending as my e-mail yesterday went to the moderation queue] > > I've been building out an open-source platform for supply-chain detection > over the last 6 months, based on my previous work at Chainguard. While it's > still a work in progress, the recent attacks have tipped my hand, so here > it goes: https://atomdrift.org/ (Apache 2.0) > > TL;DR - We're building an automated local reverse-engineering and > detection platform, powered by tiny local deterministic AI models, > retrained constantly based on recent attacks and threat feeds. Because it > uses other great open-source projects under the hood (tree-sitter, rizin, > etc) rather than just pattern matching, it's immune to most obfuscation > attacks. > > Atomdrift's detection is runnable via a simple rust CLI tool ( > https://codeberg.org/atomdrift/scan). No special hardware required. If > you have a local LLM, we support an optimized path for getting a second > opinion from it via --interpret that provides a summary and steers > confidence levels. > > While our training pipeline has been pulling from open-source marketplaces > for months, yesterday we just started scanning AUR updates rather than new > additions, and here's an example of what it looks like: > https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9 > > Here's a link to the Arch pipeline results: > https://lab.atomdrift.org/arch/ > > I built this to help open-source, and would love to figure out how I can > help ArchLinux with their supply chain issues - whether it's just > discussing ideas, making a sustainable alert pipeline to what is up and > running already, running the pipeline on your infra, or collaborating on > development. > > As atomdrift both emits scores and lets you tune for a specific > acceptable false-positive level, one idea for AUR could be automated review > or publishing delay based on confidence levels. > > The compute-side runs on Arch, btw. > Thomas >
