Tea.xyz warns that 2026 will force a structural reset of open source, as AI-driven scale, supply-chain attacks, and maintainer burnout converge into a systemic risk for global software infrastructure.
Open source software is approaching a critical inflection point in 2026, with fundamental changes required in how it is built, funded, and secured. According to ecosystem findings released by tea.xyz, compounding risks across the global software supply chain are placing unprecedented strain on the infrastructure that underpins the modern Internet.
The pressure is systemic rather than project-specific. AI-assisted development has dramatically accelerated software output, making it trivial to generate pull requests, bug reports, and even entire packages. However, validation, review, and long-term maintenance remain manual, creating an unsustainable imbalance.
Maintainers are facing rising workloads alongside declining quality and signal-to-noise ratios. Curl creator Daniel Stenberg has publicly documented a sharp rise in low-quality, AI-generated submissions overwhelming maintainers.
At the same time, large-scale, coordinated supply-chain abuse is accelerating. Public package registries are increasingly exploited solely through automation. More than 150,000 malicious npm packages were recently identified exploiting crypto-based incentive systems, polluting over 1% of the npm ecosystem. The ‘Shai-Hulud’ worm further demonstrated the risk by compromising legitimate packages using stolen developer credentials, impacting libraries with billions of weekly downloads.
“These incidents show how easily automated systems can be weaponised against open source. Attackers no longer need sophisticated exploits. At scale, automation alone is enough,” said Tim Lewis, Co-founder of tea.xyz.
The maintainer sustainability crisis continues to deepen. Nearly half of npm packages with more than one million monthly downloads are maintained by a single individual, with burnout, resignations, and paused development increasingly common. “Organisations depend on open source at massive scale, but the responsibility still falls on individuals,” Lewis said.
Regulatory expectations are also rising. Governments now expect auditable, transparent, and secure software supply chains, yet Linux Foundation research shows most organisations lack effective open source dependency governance.
“Open source isn’t failing. But it is changing,” Lewis added. “The systems that supported it for decades need to evolve, and in 2026, that reality becomes unavoidable.”
