AI Is Breaking Open Source Supply Chain Security
Ismail Pelaseyed of Superagent explains how AI has compressed attack timelines and why the open source ecosystem may be approaching a structural breaking point.
Written by AI. Mike Sullivan
Photo: AI. Wren Sugimoto
There was a moment — somewhere around 2010, maybe 2011 — when npm install felt genuinely miraculous. You typed a command and someone else's years of work materialized in your project directory. The whole thing ran on a social contract so thin it was practically philosophical: a stranger had written something useful, put it on the internet for free, and you trusted it enough to ship it to production. That this worked at all was the miracle. That it worked for as long as it did was the part nobody talks about anymore.
Ismail Pelaseyed, co-founder and CTO of Superagent, joined the Mastra Agents Hour podcast recently to talk about what's happening to that social contract now. His argument isn't that open source was ever perfectly secure — it wasn't, and anyone who was paying attention during the 2016 left-pad debacle or the 2018 event-stream compromise knows exactly how fragile the whole thing has always been. His argument is that AI changed the cost structure of attacking it, and that cost change is structural, not temporary.
"Previously, it took an army of attackers and weeks of work to actually prone and find those bugs and then chain them together in a way where you could actually attack something," Pelaseyed says. "Nowadays it takes an hour."
That compression — from weeks to an hour — is Pelaseyed's assertion, not an independently benchmarked figure, and I'd be careful about treating it as a precise measurement. But the directional claim is consistent with what security researchers have been documenting more formally. IBM's 2024 X-Force Threat Intelligence Index tracks a sustained shift toward attackers exploiting human and application-layer weaknesses rather than brute-forcing infrastructure. The math on attack economics has moved, even if the exact ratio is harder to pin down than a single podcast quote.
What makes the hour-not-weeks claim worth taking seriously is Pelaseyed's corollary: you don't even need a frontier model to do it. A smaller open source model handles the job well enough if the operator knows what they're doing. The implication is that the barrier isn't access to powerful AI anymore — it's access to people who understand what to ask it.
The Entry Point Is Still a Human
The part of Pelaseyed's argument that gets buried under all the AI anxiety is the most useful part: most of these attacks still start with a phishing email.
Not a zero-day. Not some sophisticated AI-generated exploit. A link. Someone in an organization with elevated privileges clicks something they shouldn't. The attacker gets a token. The rest is logistics.
"It's easier to hack a person than it is to hack a computer," Pelaseyed says, with the weary efficiency of someone who has explained this too many times. "Hacking a person is just a phishing email away."
What AI changed isn't the attack vector — social engineering is older than the internet — it's the quality of the bait. The tells that used to give phishing attempts away (the slightly wrong domain, the stilted English, the vague pretense) are sanding down. Pelaseyed describes getting DMs on X from accounts claiming to be from TechCrunch, offering press coverage with a cal.com link attached. The message itself is indistinguishable from a legitimate journalist outreach. The only protection is suspicion as a default posture, which is not a sustainable or pleasant way to operate.
His personal countermeasure — a Chrome extension that runs a secondary check on outbound links in his Gmail — is the kind of thing a CTO builds for himself on a weekend because the platforms that should be doing it have apparently decided not to bother. Pelaseyed is diplomatic about this, but only barely.
"I'm a bit pissed, actually," he says, discussing GitHub and npm. "It seems like they're on manager mode or something."
"Manager mode." I want to sit with that phrase for a second. GitHub is now a Microsoft property, eleven-figure acquisition, integrated into Copilot, enterprise contracts, quarterly earnings calls. The scrappy infrastructure that hosted the world's code for free is now a line item in a Satya Nadella presentation. NPM was acquired by GitHub in 2020. The registries that the entire open source ecosystem runs through are, structurally, enterprise software businesses now. When Pelaseyed says "manager mode," he means: the incentives have shifted, the urgency has diffused, and the people with the leverage to fix the pipeline at scale are focused on other things. Anyone who watched SourceForge go from the center of the open source universe to a footnote will recognize the trajectory.
The Actual Attack: Boring, Effective, Exponential
The mechanics Pelaseyed describes are almost insultingly simple, which is part of the problem.
Once an attacker has a maintainer's credentials — via phishing, via a compromised CI/CD workflow leaking tokens, via whatever — the move is usually not to attack a major package directly. The move is to find something smaller. A utility library with 50 million weekly downloads that everyone has in their dependency tree and nobody thinks about. The kind of package that does one thing, does it well, and is maintained by one developer who updates it on weekends. Add a malicious post-install script — what the security community calls an "exotic lifecycle hook" — and you've poisoned every project that pulls that update.
The XZ Utils backdoor, discovered in March 2024, was this exact pattern at a longer timescale. A bad actor spent nearly two years building trust with the maintainer through a slow-burn social engineering campaign — contributing patches, being helpful, cultivating the relationship — before eventually gaining commit access and inserting a backdoor into a compression library that ships with nearly every major Linux distribution. The attack almost worked. The only reason it was caught was a Microsoft engineer noticed a half-second latency anomaly in SSH connections and went digging. That story belongs in this conversation about phishing and human exploitation, not as a footnote.
The Darwinian GitHub Problem
Pelaseyed's sharpest observation — and the one with the longest tail — is about what happens to the open source ecosystem when enterprises start defending themselves rationally.
Some large organizations have implemented policies requiring packages to age a minimum number of days before installation. The logic is that obvious malware gets caught in the first 24-72 hours, so waiting eliminates the most flagrant attacks. Pelaseyed endorses this as sound enterprise risk management. He is also clear that it's slowly suffocating the ecosystem that makes enterprise software possible.
"In six months, nobody, especially not enterprises, will be keen on installing new packages," he says. "What ends up happening is you get this Darwinian GitHub where only the larger packages that have the security posture and have the millions of dollars to spend on tokens to secure their project — only those will survive."
New contributors building new packages face a catch-22: the only way to get adoption is to build trust, and the only way to build trust is to already have it. The closed-contributor-list approach — some projects have stopped accepting external pull requests entirely — is the community consuming itself. We all started somewhere, including the people who wrote the packages that power everything. Pulling up the ladder isn't a security strategy; it's an endgame.
What You Can Actually Do Today
Pelaseyed's practical recommendations are genuinely actionable, which is rarer than it should be in security coverage.
Switch from npm to pnpm. The newer package manager gives you granular control over dependency update timing and lets you restrict which lifecycle hooks can execute. Pelaseyed estimates the migration takes around ten minutes with an AI coding assistant — for a straightforward project, at least; your mileage will vary with a complex monorepo. The cost is zero. This one is a no-brainer.
Turn on the free scanners. CodeQL from GitHub, Dependabot, Socket.dev — all free for open source projects. They catch the simple stuff, which is most of the stuff. Not running them is leaving the lock off the door because you're busy.
Add adversarial testing, not just scanning. Scanners find individual vulnerabilities. Attackers chain them. Pelaseyed argues for running an offensive agent that actively tries to exploit your code in combination — the difference between checking whether each door is locked and checking whether an unlocked window plus an unpatched library plus a leaked environment variable adds up to an exfiltration path. These tools exist; they're not free; they're worth understanding even if you don't deploy them immediately.
Vet your contributors. Tools like Vouch let maintainers build trust profiles for contributors. A first-time PR that looks clean is not the same security risk as a tenth PR from someone whose track record you understand. The XZ Utils attacker banked on a tired, overextended maintainer being grateful for the help. Pelaseyed's point is that the help itself is now an attack surface.
The open source ecosystem was built on the idea that distributed trust at scale produces better software than any single organization could. That idea powered Linux, which powers most of the internet. It powered the JavaScript package ecosystem that enabled the modern web. The entire cloud runs on it.
The thing currently testing that idea is not primarily sophisticated AI exploits. It's a fishing email, a tired maintainer, and a post-install script three dependencies deep in a project nobody audits. AI didn't invent any of those components — it just made the person writing the fishing email better at their job, and made the person hunting for the chainable bugs faster at finding them.
Pelaseyed thinks the ecosystem survives only if it collectively defends itself — shared compute, shared tooling, a coordinated security posture across the supply chain rather than every maintainer doing it alone. He's probably right about what the solution looks like. What he didn't say, and what I think is the honest read of the structural dynamics here, is that collective action problems in open source have historically been solved by a large company deciding it was in their interest to solve it — and the large companies with the most leverage over this particular infrastructure are currently on manager mode.
That worked out fine for Java.
— Mike Sullivan, Technology Correspondent, BuzzRAG
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
ASI:One Brings AI Agents to the Command Line—No UI Required
ASI:One's new CLI tool lets developers run agentic AI from the terminal. No dashboard, no playground—just HTTP calls and Python. Does it hold up?
Ternary Models Promise Full AI Power at Fraction of Size
PrismML's new ternary models claim to deliver FP16-level AI accuracy at 7-8x smaller size. We examine what's real and what's still theoretical.
Traycer's Bart Mode: When AI Agents Stop Needing Babysitters
Traycer's new Bart Mode promises autonomous AI coding that actually works. We examine whether spec-driven orchestration solves the babysitting problem.
Yann LeCun's JEPA: Why AI's Next Big Idea Isn't for Text
Yann LeCun's JEPA predicts representations instead of pixels. It's promising for vision and robotics—but there's a reason language models aren't using it.
Gemini CLI's CVSS 10.0 Bug and AI Agent Security
A CVSS 10.0 flaw in Gemini CLI exposed CI/CD pipelines to full compromise via malicious pull requests. Here's what happened and what it reveals.
Moltbot Hit 82K GitHub Stars—Then Security Fell Apart
The fastest-growing open source AI project reveals why agents that actually do things are both irresistible and architecturally dangerous.
PegaProx Promises vCenter for Proxmox—But Should You Care?
A new management tool claims to solve Proxmox's multi-cluster problems. Brandon Lee's been testing it—here's what actually works and what's hype.
VS Code's Autopilot Mode: Trust Issues, Automation, and AI
Microsoft's VS Code introduces Autopilot mode for GitHub Copilot. The promise: hands-off automation. The question: how much control are you willing to surrender?
RAG·vector embedding
2026-06-25This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.