Skip to content

Detect build-time package-manager installs; gate adopted-package installs to MALICIOUS#22

Closed
adelmonte wants to merge 1 commit into
Sohimaster:mainfrom
adelmonte:detect-build-time-pkg-installs
Closed

Detect build-time package-manager installs; gate adopted-package installs to MALICIOUS#22
adelmonte wants to merge 1 commit into
Sohimaster:mainfrom
adelmonte:detect-build-time-pkg-installs

Conversation

@adelmonte

Copy link
Copy Markdown

Motivation

The June 2026 "Atomic Arch" AUR supply-chain campaign hijacked orphaned/adopted packages and added a benign-looking npm install atomic-lockfile / bun install js-digest line to the PKGBUILD or .install file. The malicious payload lives inside the fetched npm/bun package's lifecycle scripts, so the PKGBUILD itself looks clean — traur scored a reconstructed sample 89/100 TRUSTED.

This also addresses the real-world miss in #14: the compromised alvr package fired B-SUBMITTER-CHANGED but still scored 73/OK, because no signal escalated it.

Changes

1. Build-time package-manager install patterns (data/patterns.toml)

  • P-NET-PKG-INSTALL-JS / P-NET-PKG-INSTALL (PKGBUILD) and P-INSTALL-PKG-MANAGER-JS / P-INSTALL-PKG-MANAGER (.install) flag a build/install step that fetches a named package over the network: npm/pnpm/yarn/bun (+35) and pip/gem/cargo/go (+25).
  • The regex requires a package argument, so bare npm install / npm ci / bun install (lockfile installs — legitimate and common) do not match. This is the core false-positive control.

2. Composite escalation gate (src/coordinator.rs)

  • When a package was adopted/taken over (B-SUBMITTER-CHANGED) and has one of the network-install signals, the coordinator emits B-ORPHAN-NET-INSTALL (Behavioral, +90, override gate) → escalates directly to MALICIOUS. This is the piece that catches the alvr-style takeover that previously slipped through at OK.
  • Implemented as a post-collection composite (apply_composite_gates) because no single feature can see another feature's signals.

3. Tests

  • Positive + negative pattern tests (incl. bare-install negatives) in pkgbuild_analysis and install_script_analysis.
  • End-to-end gate tests in coordinator: adopted + install → MALICIOUS; not-adopted + install → no gate.
  • All 440 lib tests pass.

Relationship to #20

#20 targets the same campaign by flagging newly-added npm/bun entries in the makedepends array via diff (T-DIFF-NEW-DEP-NPM-BUN, +50 Temporal). This PR is complementary and, I think, more complete for actually catching the attack:

  • It detects the install command (not just a dependency declaration), so it fires even when npm/bun is already a declared makedepend, and even on packages that are malicious from creation (no prior version to diff).
  • The override gate actually escalates to MALICIOUS — a +50 Temporal signal (×0.15 weight ≈ 7.5 risk) can't lift a compromised package out of OK, which is exactly the gap in The checking AUR comments section is not working. #14.
  • Broader ecosystem coverage (pip/gem/cargo/go, yarn/pnpm).

#20's dependency-array diff check remains a useful complementary signal (it catches the case where the install is buried in a fetched build script with no visible command), and the two approaches compose well.

…alls to MALICIOUS

Closes the detection gap exposed by the June 2026 "Atomic Arch" AUR
supply-chain attack, which hijacked orphaned packages and added a benign
looking `npm install atomic-lockfile` / `bun install js-digest` line to
the PKGBUILD or .install file. The payload lived inside the fetched npm/bun
package's lifecycle scripts, so the PKGBUILD itself scored TRUSTED.

- patterns: P-NET-PKG-INSTALL{,-JS} (PKGBUILD) and
  P-INSTALL-PKG-MANAGER{,-JS} (.install) flag a build/install step that
  fetches a *named* package over the network (npm/pnpm/yarn/bun/pip/gem/
  cargo/go). A package argument is required so bare `npm install`/`npm ci`/
  `bun install` (lockfile installs) do not match.
- composite gate: coordinator emits B-ORPHAN-NET-INSTALL (override gate ->
  MALICIOUS) when an adopted/taken-over package (B-SUBMITTER-CHANGED) also
  has one of the network-install signals.
- tests for both patterns (incl. bare-install negatives) and the gate.
- silence pre-existing unused-variable warning in bulk.rs.
@adelmonte adelmonte closed this Jun 18, 2026
@adelmonte adelmonte deleted the detect-build-time-pkg-installs branch June 18, 2026 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant