The software that powers everything from Wall Street trading platforms to hospital records systems depends on a sprawling network of open-source code registries — and those registries are running on fumes. A growing chorus of security researchers, maintainers, and industry observers is sounding the alarm: the organizations responsible for distributing the building blocks of modern software simply do not have the resources to implement even basic security measures.
The problem, long simmering beneath the surface of the technology industry, was brought into sharp focus by a recent discussion on Slashdot, which highlighted the precarious financial state of open-source package registries. These registries — including npm for JavaScript, PyPI for Python, and crates.io for Rust — serve as the central distribution points for millions of software packages downloaded billions of times each month. Yet the organizations running them often operate with skeleton crews and budgets that would be considered laughable for any commercial enterprise handling a fraction of the same responsibility.
Billions of Downloads, Shoestring Budgets
The scale of the mismatch between the importance of these registries and their funding is staggering. PyPI, the Python Package Index, serves over 800 billion download requests annually and is maintained by a small team at the Python Software Foundation. npm, which hosts over two million JavaScript packages, was acquired by GitHub (and by extension, Microsoft) in 2020, giving it more corporate backing than most — but even npm has faced criticism for insufficient security investment relative to its centrality in global software supply chains.
The core issue is structural. Open-source registries were built as community projects, often by volunteers, and grew organically as programming languages gained popularity. No one designed them from the outset as critical infrastructure requiring enterprise-grade security, identity verification, and abuse prevention. But that is precisely what they have become. When a malicious package slips into npm or PyPI, it can propagate to thousands of organizations within hours, as developers unknowingly pull compromised code into their projects through automated dependency management tools.
A History of Supply Chain Attacks Underscores the Risk
The consequences of this funding gap are not theoretical. In recent years, supply chain attacks targeting open-source registries have multiplied. The 2024 XZ Utils backdoor — in which a sophisticated attacker spent years gaining the trust of a critical compression library’s maintainer before inserting a backdoor — demonstrated just how vulnerable the open-source supply chain can be. That incident, which was discovered almost by accident, could have compromised SSH authentication across millions of Linux systems worldwide.
Other attacks have been more blunt but no less damaging. Typosquatting — where attackers upload packages with names similar to popular libraries — remains a persistent problem across registries. In 2023, security researchers at Phylum and Sonatype documented hundreds of malicious packages uploaded to npm and PyPI in coordinated campaigns designed to steal credentials and cryptocurrency. The registries removed the packages after they were reported, but the reactive nature of the response underscores the problem: without adequate staffing and automated detection systems, registries are perpetually playing defense.
Who Should Pay for Open-Source Security?
The question of funding has become one of the most contentious in the open-source world. Large technology companies — including Google, Microsoft, Amazon, and Meta — depend heavily on open-source software and the registries that distribute it. Critics argue that these companies extract enormous value from the open-source commons while contributing relatively little to the maintenance and security of the infrastructure that supports it.
Some efforts have been made to address the imbalance. The Open Source Security Foundation (OpenSSF), a project of the Linux Foundation backed by major tech firms, has directed funding toward securing critical open-source projects. Google’s Assured Open Source Software program offers curated, security-tested versions of popular packages. And the Alpha-Omega Project, also under OpenSSF, has provided grants to improve the security of widely used open-source projects and the registries themselves.
Grants and Goodwill Are Not a Sustainable Model
But these initiatives, while welcome, are widely seen as insufficient. The Alpha-Omega Project’s total funding since its inception amounts to a few million dollars — a rounding error in the budgets of its corporate sponsors. PyPI received a grant from the U.S. National Science Foundation and has benefited from support through Amazon Web Services credits, but the Python Software Foundation’s total annual revenue remains modest relative to PyPI’s global importance. As reported by Slashdot, the fundamental reality is that registries lack the sustained, predictable funding needed to hire full-time security engineers, build out abuse detection systems, and implement features like mandatory two-factor authentication for all package maintainers.
The reliance on grants and volunteer labor creates a fragile system. When a key maintainer burns out or a grant cycle ends, security improvements stall. PyPI only began requiring two-factor authentication for maintainers of critical projects in 2023, years after security experts first recommended the measure. npm implemented similar requirements under Microsoft’s ownership, but smaller registries for languages like Ruby (RubyGems) and PHP (Packagist) have been slower to act, in large part because they lack the resources.
Regulatory Pressure Is Building on Both Sides of the Atlantic
Government regulators are beginning to take notice. The European Union’s Cyber Resilience Act, which is set to impose new security requirements on software products sold in the EU, has raised concerns among open-source advocates who worry that volunteer-run projects could be held to compliance standards they cannot afford to meet. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has published guidance urging software producers to take responsibility for the security of their open-source dependencies, but has stopped short of mandating specific actions or providing direct funding to registries.
The tension between regulatory ambition and the financial reality of open-source maintenance is palpable. Seth Larson, the security developer-in-residence at the Python Software Foundation — a position itself funded by a grant — has been vocal about the challenges of securing PyPI with limited resources. In public statements and blog posts, Larson has described the difficulty of implementing security improvements while also handling day-to-day operations, responding to abuse reports, and managing infrastructure.
The Private Sector’s Uneven Response
Some private-sector responses have been more substantive than others. Tidelift, a company that pays open-source maintainers to meet security and maintenance standards, has argued that the industry needs a new model in which companies that depend on open-source software pay directly for its upkeep. “The current model is broken,” Tidelift CEO Donald Fischer has said in interviews. “We’re asking volunteers to secure the software that runs the global economy, and then acting surprised when things go wrong.”
Meanwhile, companies like Cloudflare and Fastly have donated infrastructure services — such as content delivery and DDoS protection — to registries, helping to offset some operational costs. But donated bandwidth does not translate into donated security engineering hours, and it is the human expertise that registries most desperately need.
What a Properly Funded Registry Would Look Like
Security experts have outlined what a well-funded registry operation would require: dedicated security teams capable of proactive threat hunting, automated malware scanning for every uploaded package, mandatory multi-factor authentication for all maintainers, cryptographic signing of packages to ensure integrity, and real-time monitoring for suspicious activity. Some of these features exist in partial form at the largest registries, but none have implemented the full suite, and smaller registries lag far behind.
The cost of doing this properly is not astronomical by the standards of the technology industry. Estimates from researchers and registry operators suggest that a fully staffed and secured registry operation for a major programming language would require on the order of $5 million to $10 million per year — a trivial sum for any of the Fortune 500 companies whose products depend on these registries daily. The fact that this money has not materialized speaks to a collective action problem: every company benefits from the commons, but no single company has sufficient incentive to fund it alone.
The Stakes Keep Rising
As software supply chain attacks grow more sophisticated and more frequent, the gap between the security posture of open-source registries and the threats they face continues to widen. The XZ Utils incident was a wake-up call, but the industry’s response has so far been incremental rather than transformative. Without a fundamental shift in how open-source infrastructure is funded — whether through corporate commitments, government investment, or new economic models — the registries that underpin the modern software economy will remain dangerously exposed.
The irony is bitter: the technology industry has generated trillions of dollars in value on the back of open-source software, yet the organizations tasked with distributing and securing that software are perpetually one bad quarter away from crisis. The question is no longer whether a catastrophic supply chain attack will exploit these weaknesses, but when — and whether the industry will have acted in time to prevent it.