The Atomdrift research lab will be offline for several hours today while engineers upgrade the network uplink that has been pinned at line rate, around the clock, under the load of the lab's own supply-chain crawler.
That crawler is forager, a Go service that polls public package registries for new and updated releases and feeds them to litmus and cleave for malware analysis. Open-source maintainers do not publish on a schedule; they publish continuously, and forager ingests continuously to match.
forager presently tracks more than 100 marketplaces. A sample, drawn from its pkg/registry tree:
- Language registries: npm, PyPI, crates.io, RubyGems, Maven Central, NuGet, Packagist, Hex, Hackage, CPAN, CRAN, LuaRocks, Clojars, pub.dev, Go modules, unpkg.
- OS repositories: Homebrew, Alpine, Arch and the AUR, Debian, Fedora, RPM Fusion, Wolfi, FreeBSD ports, NetBSD pkgsrc, OpenBSD ports.
- Windows and macOS: Chocolatey, Scoop, Winget, PowerShell Gallery, MacUpdate.
- Browser and editor marketplaces: Chrome Web Store, Edge Add-ons, Mozilla Add-ons, VS Code Marketplace, Open VSX, WordPress plugins.
- Other: GitHub Releases, the GitHub Actions marketplace, and a long tail of vendor download sites.
In aggregate, the trickle from each source is a firehose, and the pipe is full. The new uplink restores headroom.
Security engineers running Atomdrift tooling will not notice the outage. litmus and cleave ship deterministic local AI/ML models: every verdict is computed on the operator's own hardware, with no callback to a cloud scoring service. No SaaS, no SaaS downtime.