AI Has Taken Over Open Source

I’ve spent a lot of time looking at what the data reveals about open source, from the speed at which open source alternatives emerge to how maintainer compensation compares with the broader software industry. I’m interested in what the data says, not in predictions based on anecdotes.

At Socket, I've had the privilege of accessing our massive database across all major ecosystems, including npm, PyPI, Go, and Rust. We essentially replicate all open source packages, including the very fringe cases. Within minutes, a nefarious package is replicated, analyzed, and reported to our customers.

This unparalleled, real-time visibility into the entire software supply chain has surfaced unique and often surprising insights as our industry has rushed into the AI era. Socket was created just before “vibe coding” was coined as a term, and we have had a front-row seat to observe how it is impacting the open source community.

I found three interesting insights that I want to share with you today, all related to AI coding trends: the number of packages on npm is growing exponentially, pull requests and contributions are increasingly seen negatively by maintainers, and dependency shopping is on a downward spiral. AI is driving the production and consumption of open source, as well as fundamentally transforming the dynamics between maintainers and contributors.

The Rising Tide of Packages#

Last year, I took a deep dive into Socket's package database, and I developed a theory that npm might have reached its peak. The explosive surge that defined the 2013 to 2016 period seems to have leveled off. I remember that a decade ago, the developer community was using the term "JavaScript fatigue" to describe the then-normal torrent of new tools and ways of working. Since then, the ecosystem has moved toward a more predictable cadence, and those familiar frustrations within the community have largely quieted down.

Everything changed in January 2026. AI coding tools became so effective at producing working code, that they became the driver of many developers' workflow to produce side-projects, open source packages, automations, and enterprise source code.

This is visible in open source ecosystems such as npm. I compiled the following chart from Socket’s database, where I spread all packages by their creation date over time, and measured how many such packages exist per creation-month. To ignore fake packages, dead packages, and other registry-abusing cases, I added a filter for packages that have at least 100 weekly downloads. Thus this counts the real and reusable packages.

There is an unprecedented pattern going on. While it is possible the recent spike includes packages gaming the system for artificial popularity, we haven’t seen this kind of sudden growth in 15 years of npm. The immediate question is: where do they come from? How can there be this many? Even during the periods when there were swarms of prolific developers publishing as many packages as they humanly could, we did not reach the mark of 10,000 real and reusable packages per month. It seems like something superhuman is happening.

This sparked my curiosity and I pondered how I could distinguish which of these packages were “written by AI”. Trying to differentiate between human machine output is a challenge that borders on a modern Turing test. That said, fortunately current AI coding tools are unusually fond of em dashes. So for the time being, they give themselves away easily. I measured the number of packages published recently, and the proportion of those which had em dashes in their README files, and the following chart was produced. (Please note that this was produced mid-May 2026, so the count of packages in May is still incomplete)

It is normal to expect approximately 5% of em dash “background radiation” produced by humans, so the recent sharp increase in em dash usage (30%+) indicates that AI is indeed employed in the creation of new npm packages. It is more than doubling the number of packages per month.

Maintenance Fatigue: PRs not welcome#

AI coding tools are used not only for the creation of new packages but also for contributing pull requests to existing open source projects. Given the normalization of AI assistance in most IDEs, this is not surprising. What's new is the flood of low-quality and often automated pull requests, which bypass human interaction, spamming maintainers with noise.

Maintainers of projects such as curl, Godot, Ghostty, tldraw, and others are now vocally describing contributions in a negative light. Some are resorting to disabling pull requests entirely, others are considering how contributor allowlists could be an answer.

It was once standard practice in the open source community to use "good first issue" labels to encourage and onboard new programmers. Yet, this label is increasingly counterproductive, often attracting AI automation executing on a user's instruction. As a result, contributions are now often leveraged to boost online presence and popularity, eroding the culture of solidarity that historically defined the open source ethos.

AI is reshaping the work of maintainers as much as it is reshaping the work of contributors. Maintainers are now using those tools to help review pull requests, or to simply rewrite the contribution from scratch given the maintainer’s better-informed prompt.

Software Supply Chain as a Black Box#

We built Socket’s package search feature – free for everyone – to support “dependency shopping”. This is the process of searching for suitable dependencies, filtering away the fake and the unpopular, and assessing many other criteria. Let’s take a look at how this too was impacted by AI recently.

What simple “health indicator” for dependency shopping could we probe? In modern software development, UI components for routine tasks like date selection are a fundamental requirement. However, when I examined Google Search trends for “date pickers” in the past 4 years, I discovered a surprisingly consistent decline:

Based on the chart above, one might be inclined to conclude that React date pickers are on their way out of software being produced lately. Contrarily, the statistical data for downloads regarding this specific package reveals a conflicting narrative: react-datepicker usage is steadily growing, and even picking up more steam in 2026!

Open source used to be consumed consciously, intentionally and informed by package popularity or human review. This is no longer true. Developers more and more rely on their AI coding tools to build entire features or products, and in the process include the packages deemed necessary. Packages themselves used to contain transitive dependencies that were hand-picked by maintainers. That is also no longer true.

The result is that AI is now primarily in control of software supply chains. There are other fields disrupted by AI, such as image generation or the production of music, but software is uniquely impacted. AI is now driving both the production and consumption of open source software. AI-generated music ends in human ears, and AI-generated images mostly benefit humans, but AI-generated software is an ouroboros (a snake eating its own tail) which is just getting started.

The software that AI writes is often good, and the open source packages it chooses for consumption are by and large better than what humans would choose. But the fact remains that the software supply chain is now an automated black box, fundamentally changing the landscape of security and transparency.

It is not feasible to manually review every new dependency selection, and the pace of AI-accelerated productivity reduces the economic benefit of pausing to inspect the packages and their source code. The only viable solution to remain secure in this new world ridden with malware campaigns is to automate the scanning of third-party code to surface risk indicators based on how that code behaves.

Developers are moving faster, tools are making more decisions on their behalf, and the supply chain is becoming too large and too automated for manual review to remain the primary defense.

That does not mean open source is going away. It is human nature to share useful things with the wider community. But in a world where AI is helping produce, select, and install open source packages, automated analysis of third-party code becomes a baseline requirement for production software.