Poisoning the FOSS Well

Indrajeet Patil

Poisoning the FOSS Well

How AI is Poisoning the Free and Open Source Software Movement

Indrajeet Patil

FOSS developer, 8+ years

ZEISS FOSS CoP

24th June, 2026

An old water well in a grassy field

Photo: Daniel Prado / Unsplash

Source code for these slides can be found on GitHub.

The FOSS well

Generated illustration of an open-source commons as a stone well fed by review labour, trust, and reciprocity, with a synthetic digital current disturbing the system

96% of codebases include open-source software; $8.8T estimated global replacement value.

Synopsys OSSRA / Harvard

FOSS runs on three social inputs — review labour, trust, and reciprocity. LLMs put strain on all three at once.

Boundary: Low-quality PRs and burnout predate LLMs. AI changes speed, volume, and plausibility; the underlying commons problem is still under-compensated maintainer labour.

Review labour

AI volume overwhelms the people who turn patches into shared infrastructure.

The flood in numbers

17M AI-generated PRs per month (March 2026)

325% increase in six months — up from 4M in September 2025

~4.5% of all public GitHub commits from Claude Code alone

Flat number of people taking on maintainer or ownership roles

"A denial-of-service attack on human attention." — GitHub, What to expect for open source in 2026

GitHub blog figure showing record acceleration of pull requests merged, commits, and new repositories per month

AI PR quality is still a review burden. CodeRabbit reports AI-generated PRs carry 1.7x more issues than human-written ones.

Sources: GitHub AI Agent Problem · GitHub, open source in 2026 · CodeRabbit

Pollution of Pull Requests

Cheap to submit.
Expensive to review.

Plausible diff
No context
No ownership after feedback

Public example, February 2026
Matplotlib maintainer Scott Shambaugh rejected an AI-authored change. Hours later, an AI persona published a personal attack piece about him.

Screenshot of Scott Shambaugh's post about an AI agent publishing a hit piece after a rejected pull request

Source: Scott Shambaugh, “An AI Agent Published a Hit Piece on Me”

When the bounty backfires

Stylized evidence card showing curl's bug bounty shutdown in February 2026 after AI slop overwhelmed the security team, and its reopening in March after AI quality improved

Seven fake reports in 16 hours
Each one plausible enough to demand triage — the real cost is maintainer attention, not the reports themselves.

Sources: The Register · The New Stack · Daniel Stenberg, FOSDEM 2026

Shared maintenance breaks first

Stylized evidence card showing Jazzband's March 2026 sunsetting after AI spam made its open-membership model untenable

Before: Anyone could join, triage issues, and merge PRs across 80+ packages. Shared trust scaled maintenance without centralised control.

After: AI spam made open membership a liability. Django projects have Django Commons; non-Django packages must find new homes or risk going unmaintained.

Sources: Jazzband sunsetting announcement · Jazzband wind-down plan

Narrower funnels

Stylized snapshot of tldraw's January 2026 issue announcing automatic closure of pull requests from external contributors

Issues, bug reports, and discussions stayed open. What narrowed was the expensive part: reviewable code.

Ghostty went further: first-time contributors now need a maintainer vouch before a PR stays open.

Source: tldraw issue #7695, “Contributions policy”

Not all bans: A scan of 1,000 popular repositories found 118 AI contribution policies — 78% allow GenAI but require disclosure and human review. The emerging norm is accountability, not prohibition.

Who pays

Entry path narrows Junior developers lose first reviews, apprenticeship, and a low-friction route into FOSS.

Attention fragments Maintainers carry suspicion, context switching, and unpaid incident response.

Contribution base shrinks Projects lose diverse small contributions and become more closed and fragile.

Renewal slows The movement loses the renewal mechanism that kept FOSS broad and resilient.

Source: Mara Averick, stdlib, 2026

Trust

AI erodes the good-faith signals contributors and maintainers rely on.

AI amplifies the trust collapse

Watch on YouTube if the embed doesn't load.

XZ Utils changed the baseline
The lesson was not “review newcomers less kindly.” It was that trust itself can be weaponized.

AI flood changes the front door
When maintainers see more bot-shaped PRs, every unsolicited submission becomes costlier to parse and easier to distrust.

Context: Veritasium, “The Most Clever Attack in Computing History”

When code has no paper trail

Stylized evidence card showing chardet's AI-assisted relicensing from LGPL to MIT via Claude rewrite

Licence laundering.
AI can regenerate copyleft code into a permissive project — no verbatim copy, but the original terms may still apply.

Provenance black box.
An LLM cannot say where its output came from. Audits that used to trace imports now hit a dead end.

Regulated sectors feel it first: medical devices, automotive, and defence already require full provenance.

Sources: The Register, “AI will kill software licensing” · Black Duck OSSRA 2026 · FDA SBOM guidance · EU CRA SBOM requirements

Hallucinations as supply-chain bait

The package does not need to exist first.
The model can invent it. An attacker can register it later.

5.2% vs 21.7%
Average package-hallucination rate for commercial versus open-weight models (2024).

Screenshot of the USENIX article about comprehensive analysis of package hallucinations in code-generating LLMs

Sources: USENIX ;login:, 2025 · USENIX Security ’25 · 205,474 phantom names observed

Trend vs. floor: Newer models hallucinate fewer packages, but Kalai (OpenAI, 2024) proved that calibrated language models have an irreducible hallucination rate — the floor is above zero by design, not just by current limitation.

Security Exploitation

Noise became part of the incident.

March 2026
LiteLLM issue #24512 warned that the package on PyPI was compromised.

Nearly 500 comments
The thread was submerged in repetitive bot-shaped replies.
Briefly closed as not_planned, then reopened; a separate status thread stayed open.

Screenshot of the LiteLLM security issue flooded with repetitive comments

Sources: LiteLLM issue #24512 · status thread #24518

Broader trend: ReversingLabs reports a 73% increase in malicious OSS package detections in 2025, with npm accounting for nearly 90% of detected open-source malware.

Reciprocity

AI breaks the implicit exchange that funds and sustains open-source work.

The docs-led business-model shock

Free framework

Docs traffic

Paid wrappers
and sponsors

January 2026 Usage still rising Docs traffic about 40% below early 2023 Revenue close to 80% lower 75% of engineers laid off

Adoption rose. The docs-led business model cracked.

Screenshot of Tailwind CSS sponsorship page asking companies to support the future of Tailwind CSS

Sources: Adam Wathan on PR #2388 · Tailwind Sponsor · Tailwind Plus

Causation vs. correlation: Tailwind’s traffic drop could also stem from AI-powered search, market saturation, or competitors. AI isn’t necessarily the sole driver.

Open source as a liability

Screenshot of Cal.com blog post announcing a move to closed source

Actual move: Cal.com
In April 2026 the scheduling SaaS went closed source after five years in public.

Security rationale
The company said AI can scan public code for vulnerabilities and turn transparency into customer-data exposure.

Sources: Cal.com closed-source announcement

Room for hope

The costs are real. So are the responses.

Useful AI gives stewardship time back

+5.9% OSS contributions

Copilot use was associated with higher code contributions, even as coordination time also rose (2024 study).

curl bounty came back

After shutting down in February, curl reopened on HackerOne in March 2026 — AI report quality had improved enough to make the programme viable again.

Accountable reports work

Ghostty accepted transparent AI-assisted reports that helped fix four real crashes.

AI finds real vulnerabilities

Anthropic’s Mythos, run via Linux Foundation Alpha Omega, reviewed curl’s source and flagged five potential vulnerabilities. One was confirmed real.

Triage relief

First-pass issue sorting with Copilot SDK can make maintainership more sustainable by filtering noise before it reaches human reviewers.

The line is not AI versus no AI. It is whether the tool reduces stewardship burden or exports it to maintainers.

Sources: Song et al. (arXiv, 2024) · GitHub Blog, 2026 · Continue Blog, 2026 · Cybernews on curl and Mythos

Conclusion

What it takes to keep the well drinkable.

Keep the well drinkable

Maintainers: protect review time Require AI disclosure · close synthetic drive-bys fast · demand follow-up ownership before merge

Platforms: protect provenance Ship attribution tooling · surface AI-provenance signals on PRs · fund forge alternatives and interoperability

Companies & funders: protect the commons Verify dependencies you ship · fund maintainers upstream · keep a real entry path for newcomers

Generated editorial illustration of a protected stone FOSS well with three guardrail systems for review time, provenance, and commons stewardship

If openness becomes unaffordable, FOSS stops regenerating.

Thank You

Questions and critiques welcome.

Source code for these slides is available on GitHub.

See more slide decks on software engineering and open source.