Risky Bulletin Sponsored: The smouldering trashfire of AI and open source
Feb 22, 2026
Feross Aboukhadijeh, open-source developer and security expert behind WebTorrent, explains how AI is reshaping open source and swelling dependency webs. He recounts real supply-chain compromises and emergent worm attacks. He also introduces Socket Firewall and a behavior-focused approach to blocking malicious packages at install time.
AI Snips
Chapters
Transcript
Episode notes
Agents Now Dominate New Code Creation
- AI agents now write the majority of new production code at leading AI labs, often exceeding 90% of new code.
- Feross says agents automatically pull in large dependency graphs, driving mid-hundred-thousand dependency counts that humans and agents can't reason about at install time.
Enterprise Adoption Is Rapid And Pressure Driven
- Enterprises are rapidly adopting AI code generation with many reporting 40–50% of code written by AI, narrowing the gap with frontier labs.
- Feross attributes this to CEO/board pressure to adopt AI quickly, often at the expense of short-term security focus.
Tiny Packages Create Massive Blast Radius
- Open source has fragmented into many tiny packages maintained by individuals, creating massive attack surface and single-maintainer blast radius.
- Feross notes recent 2025 supply-chain compromises targeted foundational packages with millions-to-billions of downloads.