Sorry, lost the link, here you go:
https://aur.archlinux.org/packages/atomdrift-scan

Best,
Pasha


On Mon, 15 Jun 2026 at 13:21, Pasha Finkelshtein <
[email protected]> wrote:

> I dared to publish atomdrift-scan as a package to AUR, I would be
> gracious if you could eyeball it and say if you think it's fine
>
> Best,
> Pasha
>
> On Mon, 15 Jun 2026 at 12:15, Pasha Finkelshtein <
> [email protected]> wrote:
>
>> Scanning built packages of scary because it requires building, which can
>> involve malicious actions, but probably need to perform 2-pass scanning:
>> pkgbuild-build-scan binary
>>
>> Pasha Finkelshteyn
>> Developer Advocate [image: Logo] <https://bell-sw.com/>
>> Mobile: +49 1525 981-7123
>> Email: [email protected]
>> bell-sw.com   [image: facebook icon] <https://www.facebook.com/asm0dey>
>>   [image: twitter icon] <https://twitter.com/asm0di0>   [image: linkedin
>> icon] <https://www.linkedin.com/in/asm0dey>   [image: instagram icon]
>> <https://www.instagram.com/asm0dey>   [image: telegram icon]
>> <https://t.me/asm0dey>
>>
>> On Mon, 15 Jun 2026, 12:07 Thomas Stromberg, <[email protected]> wrote:
>>
>>>
>>>
>>> On Mon, Jun 15, 2026 at 2:12 AM Pasha Finkelshtein <
>>> [email protected]> wrote:
>>>
>>>> Hi Thomas,
>>>>
>>>> First of all, thank you for what you're doing, it looks amazing!
>>>>
>>>
>>> Thanks! It's been truly a labor of love.
>>>
>>>
>>>> Second, I'm not a maintainer, just a mere user. As a mere user, I'd
>>>> love to have some kind of cli tool, that could scan package for me before I
>>>> build/install it.
>>>>
>>>
>>> That's available:
>>>
>>> git clone https://codeberg.org/atomdrift/scan.gitcd scan
>>> make install
>>>
>>> ascan fs /path/to/aur
>>>
>>> That will recursively scan a path - containing an AUR or whatever -
>>> including within archives (if it doesn't work - let me know). Unlike most
>>> tools, Atomdrift reverse-engineers both code and binary content, applying
>>> common rules to both.
>>>
>>> One important limitation: AS does not yet follow external file
>>> references (other packages, URLs), but it does detect unusual external
>>> references, which have flagged many of the AUR attacks. I'm working on
>>> the external refs feature as we speak; and hope to have the initial
>>> implementation added behind a --fetch flag later today.
>>>
>>> Third, I'm not sure how Atomdrift works, but the code of AUR itself is
>>>> also open and probably you might see a way how to integrate scanning into
>>>> the pipeline?  Like when someone committs an update to a package, it runs
>>>> thru Atomdrift.
>>>>
>>>
>>> Yup, that should entirely be possible! At Chainguard, we deployed a
>>> similar sort of tool as part of our code review process. The more
>>> interesting part of the tooling that is yet to be released is differential
>>> analysis (you can get a preview by the diff subcommand in
>>> https://codeberg.org/atomdrift/cleave) - that's where things get really
>>> exciting for this use case. That will then flag the interesting
>>> xzutils-inspired question: why did a v1.0.0 -> v1.0.1 bump yield a 93%
>>> behavioral change?
>>>
>>>
>>>>
>>>> Best,
>>>> Pasha
>>>>
>>>> Pasha Finkelshteyn
>>>> Developer Advocate [image: Logo] <https://bell-sw.com/>
>>>> Mobile: +49 1525 981-7123
>>>> Email: [email protected]
>>>> bell-sw.com   [image: facebook icon] <https://www.facebook.com/asm0dey>
>>>>    [image: twitter icon] <https://twitter.com/asm0di0>   [image:
>>>> linkedin icon] <https://www.linkedin.com/in/asm0dey>   [image:
>>>> instagram icon] <https://www.instagram.com/asm0dey>   [image: telegram
>>>> icon] <https://t.me/asm0dey>
>>>>
>>>> On Mon, 15 Jun 2026, 04:43 Thomas Stromberg, <[email protected]> wrote:
>>>>
>>>>> [resending as my e-mail yesterday went to the moderation queue]
>>>>>
>>>>> I've been building out an open-source platform for supply-chain
>>>>> detection over the last 6 months, based on my previous work at Chainguard.
>>>>> While it's still a work in progress, the recent attacks have tipped my
>>>>> hand, so here it goes: https://atomdrift.org/ (Apache 2.0)
>>>>>
>>>>> TL;DR - We're building an automated local reverse-engineering and
>>>>> detection platform, powered by tiny local deterministic AI models,
>>>>> retrained constantly based on recent attacks and threat feeds. Because it
>>>>> uses other great open-source projects under the hood (tree-sitter, rizin,
>>>>> etc) rather than just pattern matching, it's immune to most obfuscation
>>>>> attacks.
>>>>>
>>>>> Atomdrift's detection is runnable via a simple rust CLI tool (
>>>>> https://codeberg.org/atomdrift/scan). No special hardware required.
>>>>> If you have a local LLM, we support an optimized path for getting a second
>>>>> opinion from it via --interpret that provides a summary and steers
>>>>> confidence levels.
>>>>>
>>>>> While our training pipeline has been pulling from open-source
>>>>> marketplaces for months, yesterday we just started scanning AUR updates
>>>>> rather than new additions, and here's an example of what it looks like:
>>>>> https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8c9f09975405e75763f9
>>>>>
>>>>> Here's a link to the Arch pipeline results:
>>>>> https://lab.atomdrift.org/arch/
>>>>>
>>>>> I built this to help open-source, and would love to figure out how I
>>>>> can help ArchLinux with their supply chain issues - whether it's just
>>>>> discussing ideas, making a sustainable alert pipeline to what is up
>>>>> and running already, running the pipeline on your infra, or
>>>>> collaborating on development.
>>>>>
>>>>> As atomdrift both emits scores and lets you tune for a specific
>>>>> acceptable false-positive level, one idea for AUR could be automated 
>>>>> review
>>>>> or publishing delay based on confidence levels.
>>>>>
>>>>> The compute-side runs on Arch, btw.
>>>>> Thomas
>>>>>
>>>>

Reply via email to