[resending as my e-mail yesterday went to the moderation queue] I've been building out an open-source platform for supply-chain detection over the last 6 months, based on my previous work at Chainguard. While it's still a work in progress, the recent attacks have tipped my hand, so here it goes: https://atomdrift.org/ (Apache 2.0) TL;DR - We're building an automated local reverse-engineering and detection platform, powered by tiny local deterministic AI models, retrained constantly based on recent attacks and threat feeds. Because it uses other great open-source projects under the hood (tree-sitter, rizin, etc) rather than just pattern matching, it's immune to most obfuscation attacks. Atomdrift's detection is runnable via a simple rust CLI tool ( https://codeberg.org/atomdrift/scan). No special hardware required. If you have a local LLM, we support an optimized path for getting a second opinion from it via --interpret that provides a summary and steers confidence levels. While our training pipeline has been pulling from open-source marketplaces for months, yesterday we just started scanning AUR updates rather than new additions, and here's an example of what it looks like: https://lab.atomdrift.org/file/720b4275223cf0e27e60fdae069eba53b1869d44e46b8... Here's a link to the Arch pipeline results: https://lab.atomdrift.org/arch/ I built this to help open-source, and would love to figure out how I can help ArchLinux with their supply chain issues - whether it's just discussing ideas, making a sustainable alert pipeline to what is up and running already, running the pipeline on your infra, or collaborating on development. As atomdrift both emits scores and lets you tune for a specific acceptable false-positive level, one idea for AUR could be automated review or publishing delay based on confidence levels. The compute-side runs on Arch, btw. Thomas