Poisoning the FOSS Well

Indrajeet Patil

Poisoning the FOSS Well

How AI is Poisoning the Free and Open Source Software Movement

Indrajeet Patil

FOSS developer, 8+ years

An old water well in a grassy field

Photo: Daniel Prado / Unsplash

Source code for these slides can be found on GitHub.

FOSS is a giant hidden subsidy

96%

of codebases include open-source software.

Harvard summary of the 2024 working paper

$8.8T

estimated global replacement value if firms had to recreate the OSS they rely on.

Harvard demand-side estimate

2-5x

reported ROI for organisations that actively contribute upstream instead of only consuming OSS.

Linux Foundation, 2026

Modern software runs on FOSS. Pollute the commons, pay a systemic cost.

Sources: HBS AI Institute, October 31, 2024 · Linux Foundation, February 24, 2026

AI can help the well too

+5.9%

Copilot use was associated with higher OSS code contributions, even as coordination time also rose.

Triage relief

Andrea Griffiths: “AI can make maintainership sustainable” when it takes a first pass at repetitive issue triage.

Good AI use exists

Ghostty accepted AI-assisted reports that transparently explained the process and helped fix four real crashes.

This talk is not anti-AI. It is about what happens when speed, anonymity, and volume outrun stewardship.

Sources: Song et al. (arXiv, Jul. 8, 2025) · GitHub Blog, Mar. 27, 2026 · Continue Blog, Feb. 9, 2026

Economics

Who captures the value, and who carries the cost?

Extraction without reciprocity

The paradox is fake
FOSS still needs more human contributors. What it cannot absorb is more anonymous, low-context synthetic volume.

What healthy contribution used to create

Reading docs
Reporting edge cases
Sticking around for review
Becoming a repeat contributor

Not all teams absorb this equally
React can lean on engineers paid by Meta. Independent maintainers and small volunteer teams usually have no such buffer.

Screenshot of the arXiv paper Vibe Coding Kills Open Source

Sources: Koren et al. (arXiv, Jan. 21, 2026) · PC Gamer (Jan. 28, 2026)

Tailwind and the business-model shock

The old loop

Free framework
Docs traffic
Paid wrappers and sponsorships

January 2026

📈 Usage still rising
📉 Docs traffic about 40% below early 2023
📉 Revenue close to 80% lower
👥 75% of engineers laid off

Adoption rose. The docs-led business model cracked.

Screenshot of Tailwind CSS sponsorship page asking companies to support the future of Tailwind CSS

Sources: Adam Wathan on PR #2388 · Tailwind Sponsor · Tailwind Plus

Causation vs. correlation: Tailwind’s traffic drop could also stem from better general-purpose AI search, market saturation, or competitors. AI isn’t necessarily the sole driver. Similarly, “extraction without reciprocity” isn’t purely one-way; many AI labs open-source their models and tools.

Open source as a liability

Example: Malus
An AI “clean room” service claims it can recreate open-source packages from docs and APIs.

The pitch
Keep equivalent functionality, but remove attribution, copyleft, and license obligations.

The liability is no longer only bugs in public code. It is the risk that openness becomes a reconstruction guide.

The fear is not that open source suddenly stops working. It is that AI lowers the cost of routing around the obligations that made sharing sustainable.

Security

Attack surface, supply chain, and code provenance.

Security Exploitation

Noise became part of the incident.

March 24, 2026
LiteLLM issue #24512 warned that the package on PyPI was compromised.

488 comments
The thread was submerged in repetitive bot-shaped replies.
12:49 UTC closed as NOT_PLANNED.
13:49 UTC reopened.

Screenshot of the LiteLLM security issue flooded with repetitive comments

Sources: BerriAI/litellm issue #24512 · issue #24518

Why LLMs tilt the field

Compression
Recon, exploit drafting, follow-up comments, and social engineering now collapse into minutes.

Parallel work
One attacker can write code, write prose, and flood response channels at the same time.

Synthetic volume becomes an attacker advantage.

A close photograph of polluted water

Photo: Maxim Tolchinskiy / Unsplash

Provenance becomes licence laundering

Plausible is not traceable.
Generated code can look mergeable while still hiding its origin, licence lineage, or attribution trail.

The next step is worse.
Malus is a satirical warning, but it captures the logic: AI clean-room claims can be used to dodge attribution and copyleft obligations.

Maintainers answer with attestation, provenance checks, or outright bans on AI-derived code.

Screenshot of the satirical MALUS website warning about AI clean-room recreation to avoid open-source obligations

Sources: malus.sh (satirical warning) · cloud-hypervisor #7162 · Tom’s Hardware (Apr. 12, 2026)

Hallucinations as supply-chain bait

The package does not need to exist first.
The model can invent it. An attacker can register it later.

5.2%
average rate for commercial coding models.

21.7%
average rate for open-weight coding models.

Screenshot of the USENIX article Package Hallucinations: How LLMs Can Invent Vulnerabilities

Sources: USENIX ;login: (Jun. 17, 2025) · USENIX Security ’25 · 205,474 phantom names observed

Community

Review queues, trust, and the contributor pipeline.

Pollution of Pull Requests

Cheap to submit.
Expensive to review.

Plausible diff
No context
No ownership after feedback

Public example, February 2026
Matplotlib maintainer Scott Shambaugh rejected an AI-authored change. Hours later, an AI persona published a personal attack piece about him.

Screenshot of Scott Shambaugh's post about an AI agent publishing a hit piece after a rejected pull request

Source: Scott Shambaugh, “An AI Agent Published a Hit Piece on Me”

AI amplifies the trust collapse

XZ Utils changed the baseline
The lesson was not “review newcomers less kindly.” It was that trust itself can be weaponized.

AI flood changes the front door
When maintainers see more bot-shaped PRs, every unsolicited submission becomes costlier to parse and easier to distrust.

This is why the “we want contributors, but reject many PRs” tension is real only on the surface: projects still want people, but they can no longer afford unaccountable volume.

Context: Veritasium, “The Most Clever Attack in Computing History”

From default trust to explicit trust

Mitchell Hashimoto is piloting a different model.

Screenshot of Ghostty's contributing guide with its vouch system

Ghostty: first-time contributors need a maintainer vouch before a PR can stay open.

Screenshot of Mitchell Hashimoto's Vouch repository

Vouch: trust becomes explicit before code arrives.

Sources: Ghostty CONTRIBUTING.md · mitchellh/vouch

Narrower funnels

Stylized snapshot of tldraw's January 2026 issue announcing automatic closure of pull requests from external contributors

tldraw, January 2026
An influential project announced it would automatically close pull requests from external contributors.

The repo stayed open for issues, bug reports, and discussions. The part that narrowed first was the expensive part: reviewable code contribution.

This is what “the commons hardening” looks like in practice: not total closure, but higher gates at exactly the points where AI volume is most costly.

Source: tldraw/tldraw issue #7695, “Contributions policy”

GitHub wasn’t built for this

Screenshot of GitHub's April 2026 availability update

275M
commits per week

2.1B
Actions minutes per week

17M
agent-opened PRs

8x
faster automated growth

GitHub’s own availability post frames the problem as a platform-scale shock: agentic development turns every pull request into load on storage, CI, search, permissions, notifications, and APIs.

Title area of Mitchell Hashimoto's post: Ghostty Is Leaving GitHub, dated April 28, 2026 — Ghostty: leaving GitHub

Title area of Zig's post: Migrating from GitHub to Codeberg, dated November 26, 2025 — Zig: GitHub to Codeberg

Title area of Planet Gentoo item: Goodbye Github, welcome Codeberg — Gentoo: Codeberg mirror

The signal:
the default FOSS forge is becoming a bottleneck exactly where AI multiplies activity.

Who pays

Junior developers
Lose first reviews, apprenticeship, and the easiest route into open-source work.

Maintainers
Carry more suspicion, more context switching, and more unpaid incident response.

Projects
Lose diverse small contributions and become more closed and fragile.

The movement
Loses the renewal mechanism that kept FOSS broad and resilient.

Community Adaptability

Technical Counter-measures

Automated provenance tools (e.g., SLSA, sigstore)
License-aware fine-tuning that respects copyleft
AI-assisted triage bots using the tech to defend against the tech

Social & Policy Shifts

Mandatory AI-disclosure templates
Projects banning undisclosed AI code
Requiring strict human sign-off and accountability

The open-source ecosystem is actively adapting. Emerging solutions suggest the current disruption will eventually stabilize into a new equilibrium.

Keep the well drinkable

Protect review time

Disclose AI use
Close synthetic drive-bys fast
Make contributors own follow-up

Protect provenance

Require human accountability
Treat unknown origin as risk
Reject clean-room evasions

Protect the commons

Verify dependencies
Fund maintainers upstream
Keep a real path in for people

If openness becomes unaffordable, FOSS stops regenerating.

Additional references: XZ Utils backdoor summary · Mitchell Hashimoto on AI and open source

Thank You

Questions and critiques welcome.

Source code for these slides is available on GitHub.

See more slide decks on software engineering and open source.