Why Irresponsible Users Put Open Source Security on Shaky Ground

Danny Bradbury explains why more money must be diverted to maintainers and infrastructure

If there was ever proof that the world’s software economy runs on infrastructure that nobody pays for, September’s attack on the npm package ecosystem was it.

The attackers compromised a package maintainer’s account using a single phishing email. That gave them access to packages downloaded 2.6 billion times weekly, compromising them with malicious code that was live for 2.5 hours before detection. While they eventually walked away with under $1,000, the attack highlighted the systemic fragility of open-source infrastructure.

While the non-profit organisations running open-source infrastructure face down these threats, some users are irresponsible in their use of the resources, warns Brian Fox, founder of Sonatype. The security vendor also runs Maven Central, a free repository where most of the world’s open-source Java packages are downloaded from.

“CFOs need to wake up to the massive hidden subsidy they’re getting from open source”

Fox spent time analysing Maven Central’s logs and found that 1% of the IP addresses accessing the site were responsible for 83% of the repository’s total bandwidth.

“I documented cases where somebody was doing test publishes on every single commit just because one time in the past, he had a problem. Every time someone publishes a commit, it hits free repositories and pulls down the latest version of a package,” he tells Assured Intelligence.

“Or in other cases, the things being published are basically enterprise SDKs, and they want to publish every single day, even though most things don’t change. It’s like, ‘okay, that’s a convenience for your users, but you’re wasting a ton of resources.’”

Organisations can reduce the load on package management systems by caching the files they need, thereby avoiding the need to access server resources and utilise network bandwidth repeatedly. But they don’t, either because they’re oblivious or just don’t care.

It’s not just about bandwidth abuse

Hitting server resources and bandwidth doesn’t directly create security issues. But it does affect the overall budget for these free projects, whose maintainers have many demands on their time.

“Network traffic notwithstanding, there’s an awful lot of other costs that are not being spent right now, but need to be, like security hardening, operations staff, or things that are just barely staying afloat as they work on these problems,” says Michael Winser. He is the founder of Alpha-Omega, a Linux Foundation project funded by Microsoft, Google, Amazon, and Citi, that promotes sustainable security investments for open-source projects.

“These organisations are operating as if they were non-profits, but they’re actually funded like charities,” Winser says of the free open source infrastructure projects and the foundations funding them. “They rely on discretionary, highly variable donations, but they have transactional costs that scale with their usage.”

A call for change

Now the non-profits are standing up for themselves. Maven Central and Alpha-Omega have joined forces with six other organisations that run open-source infrastructure projects: PyPI, Rust, Eclipse, OpenJS, Ruby Central, and Packagist. They have published an open letter calling for changes to the status quo. The bottom line? Free always meant free as in intellectual freedom, not free as in beer. Open source has become too critical to fund with the technology equivalent of a bake sale.

“These organisations are operating as if they were non-profits, but they’re actually funded like charities” Michael Winser

“They have become foundational digital infrastructure – not just for open source, but for the global software supply chain,” the open letter says of these registries. Other parts of the infrastructure, such as content delivery networks (CDNs) and cloud computing power and storage, also require more stable support.

“The pattern remains the same: a small number of organisations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability,” the letter goes on.

The open usage policies on these systems make matters worse, it says, because companies are also using them to distribute proprietary software for their own commercial gain without giving anything back to help fund the resource. “In effect, public registries have become free global CDNs for commercial vendors,” it says.

The security challenge

This infrastructure will come under increasing scrutiny as people attempt to exploit the system. That includes spam and the supply chain attacks we’ve just seen. The commercial security world depends on this infrastructure as much as everyone else: “Security tooling expects an immediate response from public registries.”

The letter suggests that things are about to get far worse. Generative and agentic AI will lead to more automated usage that again treats this infrastructure as an externality.

“CFOs need to wake up to the massive hidden subsidy they’re getting from open source. Almost every company’s software budget is artificially low because open source maintainers have been picking up the tab for years,” says Feross Aboukhadijeh, CEO of Socket.

A 2024 Harvard Business School study bears this out. It found that companies would need to spend 3.5 times their current software budgets if open-source software were to disappear. Both the maintainers and the infrastructure could benefit from more funding to support efforts, including security.

Pitching in

So what can we do to stop the rot? The answer will upset some people, because it has a dollar sign in front of it. The group suggests asking commercial partners to fund infrastructure in proportion to usage. That could come with tiered access models that allow smaller users and individuals to access resources equitably, while requiring larger users to contribute a greater share. In return, they may receive extras, such as usage statistics.

“In effect, public registries have become free global CDNs for commercial vendors”

What happens if we don’t fix this problem? Aboukhadijeh points to one incident that he calls “the canary in the coalmine”. When chip giant Broadcom purchased virtualisation company VMware, it began tightening the thumbscrews on licensees as part of a broad monetisation effort that has caused consternation in the industry.

Less noticeable was what came with VMware: Bitnami. This company, which it had acquired in 2019, provided a large base of open-source containers for developers at no cost, as a lure to a premium model that offered value-added extras like backups and commercial support. Broadcom’s money grab extended to Bitnami. On September 29, it turned off the free container faucet, discontinuing updates for most of the free containers in favour of the paid versions.

The development is “a stark reminder of what happens when critical open source infrastructure lacks a sustainable funding model and clear governance,” Aboukhadijeh says. It exposed the risks of taking free services for granted without a long-term plan for funding and governance in place.

“Is this the inevitable fate of all open source infrastructure? Not necessarily, but it’s the path we’re on if the funding problem goes unsolved,” he warns.

This isn’t the first idea to help filter money back into the free software community. For example, open source luminary Bruce Perens has already proposed a Post-Open license. It would source revenues from companies that use open-source products as part of their own paid offerings back to developer-owned entities, which would redistribute the funds.

Unsurprisingly, this issue keeps arising. The tech world is built in part on free, voluntary efforts that people contribute to for the greater good. It’s why the ShadowServer Foundation was left scrabbling for survival in 2020 after Cisco pulled its funding. The tragedy of the commons applies. Unless the largest users with the deepest pockets pitch in, public good services and infrastructure will remain on shaky ground.