Ninety-four million downloads per month. That's how popular LiteLLM, a Python proxy library for LLM APIs, was when a threat actor pushed malicious versions to PyPI earlier this year. The compromised package harvested credentials on install - you didn't even need to import it - established persistence through systemd, and could spread laterally across Kubernetes clusters. It was live for three hours before anyone caught it.
This incident anchors a provocative essay by Dirk Harms-Merbitz arguing that AI is killing open source software through what he calls a "pincer attack" - simultaneous pressure from above and below that's collapsing the trust model the entire ecosystem depends on.
The argument is worth taking seriously, even if you disagree with the conclusion.
The Attack From Above
Harms-Merbitz points to Cloudflare assigning a single developer to clone Next.js - a framework built over years by Vercel and hundreds of open source contributors. The result: a functional clone in one week, at roughly $1,100 in AI inference costs. One person, one week, a thousand dollars to replicate years of community effort.
The company didn't fork the project or engage with its community. They just rebuilt it. And they had every legal right to do so, because the code was open and the LLMs learned from it.
This is the "attack from above" - large companies using AI to clone open source projects rather than contributing to them. The economics now favor rebuilding over collaborating, which strips away one of open source's core value propositions: pooled effort across organizations.
The Attack From Below
The pressure from individual developers is subtler but arguably more damaging. Andrej Karpathy recently described a coding philosophy he calls "yoinking" - using AI to read a library, extract just the functions you need, and rewrite them inline in your project. No pip install, no dependency, no maintainer relationship.
When an LLM can understand a package, identify the three functions you actually use, and reproduce them in seconds, the incentive to pull in an external dependency drops to near zero. Downloads decline not because the library got worse, but because people stopped needing the package when they could just take the idea.
The Trust Problem Has No Easy Fix
The LiteLLM compromise illustrates the deeper issue. Open source always ran on trust - trust that authors weren't malicious, that community review was thorough enough, that the volume of contributions was low enough for humans to audit.
AI breaks all three assumptions. A pull request generated by AI looks identical to one written by a human. A subtle backdoor spread across three innocent-looking commits from three unrelated accounts is now a weekend project. The cost of contributing maliciously has dropped to near zero while the cost of detecting malice has stayed flat or increased.
Meanwhile, maintainers face a flood of AI-generated pull requests that look reasonable but are often low-quality. Review burden goes up. Motivation goes down. And when something breaks, the maintainer who built and maintained the project for free becomes the villain in someone else's supply chain postmortem.
Harms-Merbitz's prescription - buy commercial software with SLAs, or write it yourself with AI - is self-serving (he's selling Unix tools). But the diagnosis rings true. The economic argument for open source was built on a world where writing software was expensive, so sharing it made sense. AI has made writing software cheap. The question is whether open source can adapt its trust and incentive models fast enough to survive that shift, or whether we're watching the early stages of a slow unwinding.
For anyone who depends on open source packages in production - which is essentially everyone - the practical takeaway is immediate: audit your dependency trees harder, pin your versions, and start treating every third-party package as a potential attack surface. The era of casual npm install and pip install without scrutiny should already be over.