Open-source maintainers have root access to your production servers via dependency updates and earn $0 for it

The 'left-pad' npm package (11 lines of code) was unpublished by its author in 2016, breaking thousands of production builds including Facebook, Netflix, and Airbnb. The 'event-stream' npm package was handed off to a stranger who injected cryptocurrency-stealing malware — it was downloaded 8 million times before detection. The 'xz utils' backdoor (March 2024) was planted by a contributor who spent 2 years gaining trust of the sole maintainer through social engineering. In each case, one unpaid volunteer controlled code running on millions of servers. So what? Modern software is built on a foundation of packages maintained by individuals who are unpaid, unsupported, and unsupervised. The xz maintainer was a single person maintaining a critical compression library used by every Linux SSH installation worldwide. They were burned out and grateful when a 'helpful' contributor offered to share maintenance burden — that contributor was a state-sponsored attacker. The entire Linux SSH infrastructure was 2 weeks from being backdoored because one burned-out volunteer accepted help from a stranger. There is no vetting, no background check, no security clearance for people who maintain the software that runs the internet. Why does this persist? Open-source maintainers are volunteers. Companies that profit billions from open-source software contribute almost nothing to its maintenance. GitHub Sponsors and Open Collective pay maintainers $500-5,000/year — less than minimum wage for the hours they put in. The Heartbleed bug (2014) revealed that OpenSSL, used by 66% of web servers, was maintained by one full-time developer earning $20K/year. The economics of open source create a permanent security crisis: critical infrastructure maintained by exhausted volunteers who cannot afford to say no to 'help.'