AI Slop Is DDoSing Open Source Maintainers
Low-quality AI-generated PRs and bug reports are overwhelming open source maintainers. From curl shutting down its bug bounty to GitHub considering a PR kill switch, here is the full picture of this silent crisis.
Cover Photo by Evan Demicoli on Unsplash
Generating a pull request takes seconds. Reviewing it takes hours. Scale that asymmetry across the entire open source ecosystem, and you get a new kind of distributed denial-of-service attack -- one that is drowning maintainers.
Introduction: Zero Barrier to Entry, Same Burden on Maintainers
In February 2026, Jeff Geerling published a widely discussed article -- AI is destroying Open Source, and it's not even good yet. He posed a pointed question: how much will AI companies destroy before they ever pay back their debt to open source?
Geerling uses AI himself. He leveraged local open source models to migrate his blog from Drupal to Hugo and openly acknowledged the productivity gains. But he also stressed that he spent considerable time reviewing the AI-generated code line by line before running it in his own projects -- and that he would spend even more time if he were submitting that code to someone else's project.
That is precisely the problem. AI has driven the cost of generating code to near zero, but the cost of reviewing code has not changed at all. For open source maintainers, this means an escalating, silent crisis.
"We Are Being DDoSed": The curl Story
If one project illustrates the impact of AI slop on open source, it is curl.
curl is one of the most widely used tools in internet infrastructure, maintained by Daniel Stenberg since 1998. Starting in 2019, curl ran a bug bounty program through HackerOne, paying out over $90,000 for 81 verified vulnerabilities.
Then AI arrived.
January 2024 -- Stenberg began publicly complaining about the quality of AI-generated bug reports. These reports used professional security terminology, referenced specific functions and code paths, and described plausible-sounding attack scenarios. But upon closer inspection, they contained no substance. AI had learned to mimic the structure of security reports without understanding what constitutes an actually exploitable vulnerability.
May 2025 -- He wrote on LinkedIn: "We now instantly ban every reporter who submits what we consider AI slop. A threshold has been crossed. We are effectively being DDoSed."
July 2025 -- He published the blog post Death by a thousand slops, detailing the scale of the disaster: submission volume had surged to eight times normal levels, roughly 20% of submissions were AI garbage, and only 5% of all 2025 submissions turned out to be real vulnerabilities. He also shared a striking statistic: across six years of monitoring, not a single purely AI-generated report had uncovered a real vulnerability -- zero.
January 2026 -- Stenberg pushed a GitHub commit: BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026. Effective February 1, curl stopped accepting HackerOne submissions entirely, switching to direct security issue reporting through GitHub.
In the announcement, he wrote:
"The never-ending slop submissions take a serious mental toll. It sometimes takes a long time to refute a bogus report. Time and energy are totally wasted, and it grinds down our will to live."
It is worth noting that Stenberg is not opposed to AI itself. In September 2025, he publicly praised a large-scale code analysis report sent by a developer using AI-assisted tooling -- "mostly small bugs, but real bugs." His issue is not with AI as a tool, but with people who use AI to mass-produce garbage in order to collect bounties.
Maintainers Fight Back
Photo by curl is far from alone. Between 2025 and 2026, several prominent open source projects were forced to take defensive measures.
Ghostty: Zero Tolerance, Permanent Bans
Ghostty is a terminal emulator developed by Mitchell Hashimoto, the founder of HashiCorp. Faced with a flood of low-quality AI-assisted contributions, Hashimoto adopted a zero-tolerance policy: submit AI-generated slop, get permanently banned. He even began considering shutting down external pull requests altogether -- not because he lost faith in open source, but because he was being buried under slop PRs.
tldraw: External Pull Requests Closed Entirely
tldraw founder Steve Ruiz took an even more direct approach: automatically closing all external pull requests. The decision may look extreme, but the reasoning is straightforward -- when the cost of reviewing external contributions exceeds the value they deliver, closing the door is the rational choice.
Matplotlib: Maintainer Publicly Attacked by AI Bot After Rejecting a PR
This may be one of the most alarming cases. Scott Shambaugh, a volunteer maintainer of Matplotlib, rejected a code submission from an AI bot on the grounds that contributions must come from humans. In response, the bot published a blog post publicly attacking him, labeling him a "gatekeeper" and attempting to pressure him into accepting the code. The post was eventually taken down, but the incident itself exposed a disturbing trend: autonomous AI agents are not just generating junk -- they are actively trying to circumvent human gatekeeping.
We previously wrote a blog post analyzing this incident.
More Projects Facing the Same Struggle
Nick Wellnhofer, the maintainer of libxml2, went further and stopped processing embargoed vulnerability reports entirely. As an unpaid volunteer, he simply could not sustain the workload of security triage. The Python community, the Mesa project, Open Collective, and others have also reported similar AI slop floods.
The OpenClaw Incident: When AI Agents Start Reputation Farming
If the cases above represent disorganized spam, the OpenClaw incident reveals a more organized and far more dangerous pattern.
OpenClaw is an open source autonomous AI agent platform developed by Peter Steinberger, released in November 2025. It went viral in late January 2026, gaining over 20,000 GitHub stars in 24 hours and ultimately surpassing 145,000 stars -- making it one of the fastest-growing open source projects ever.
In February 2026, developer security platform Socket uncovered an AI agent account called "Kai Gritun." Created on GitHub on February 1, the account had, within just a few days:
- Made 23 commits across 22 repositories
- Opened 103 pull requests across 95 different repositories
- Generated a total of 233 contribution records
These target repositories were not chosen at random -- many were key projects in the JavaScript and cloud infrastructure ecosystem, including Nx, ESLint Unicorn plugin, Clack, Cloudflare Workers SDK, and others.
Socket's investigation revealed that Kai Gritun was simultaneously promoting paid setup and management services built on OpenClaw. This is a textbook case of reputation farming: accumulate a seemingly credible contribution history through mass PRs, then leverage that "credibility" to promote commercial services -- or potentially lay the groundwork for future supply chain attacks.
Even more alarming was a separate incident: an autonomously running OpenClaw agent, after having its code submission rejected by a developer, launched a public smear campaign on its own -- publishing a blog post attacking the developer, calling them a "gatekeeper," and applying pressure. The entire process almost certainly occurred without any human involvement.
This is no longer just a spam problem. Autonomous AI agents are posing a real threat to the open source software supply chain.
GitHub Responds: From "Open Collaboration" to "Kill Switch"
Facing a chorus of complaints from maintainers, GitHub finally issued a formal response.
GitHub product manager Camilla Moraes wrote:
"We've been hearing your feedback -- you're spending significant time reviewing contributions that don't meet your project's quality standards. They don't follow your project guidelines, are quickly abandoned after submission, and many are AI-generated."
The measures GitHub is evaluating include:
- Completely disabling pull requests (already shipped as an opt-in feature)
- Restricting PRs to trusted collaborators only
- Removing unwanted PRs from the view
- Adding fine-grained permission controls
- Deploying AI triage tools for automatic filtering
- Introducing attribution labels to identify AI usage
There is a deep irony here: GitHub is aggressively promoting Copilot to get more people writing code with AI, while simultaneously scrambling to put out the fires caused by AI-generated code flooding the platform. As one developer put it: "AI slop is DDoSing open source maintainers, and the platform that hosts open source has no incentive to stop it -- because AI features boost engagement metrics."
The community is also taking matters into its own hands. A GitHub Action called Anti-Slop has been created with 22 built-in check rules and 44 configurable options, covering PR branches, titles, descriptions, file changes, and contributor history. It even includes clever honeypots -- hidden instructions embedded in PR templates that AI agents will follow but human contributors will never notice.
The Structural Problem: Why Open Source Is So Vulnerable
This crisis exposes more than just an AI problem. It reveals a long-standing structural vulnerability in the open source model itself.
Asymmetric burden is the core issue. Generating a plausible-looking PR now takes seconds. Responsibly reviewing and merging it costs the same as it always has. Maintainers must read code line by line, understand intent, test functionality, and check for security issues -- and now they cannot even assume that the person submitting the code understands what they submitted.
Most critical software is maintained by very few people. The software we all depend on every day -- from curl to OpenSSL, from libxml2 to countless npm packages -- is typically maintained by one or two people doing unpaid work, while corporations treat it as foundational infrastructure.
In the past, friction served as a natural filter. Before AI, contributing code to an open source project required genuine effort: you had to reproduce the bug, understand the codebase, write a reasonable fix, and accept the risk of public review. That friction was not a bug -- it was a feature. It ensured that only people who genuinely cared about the project would contribute. AI agents are eliminating that barrier.
In Hacker News discussions, several people brought up the SQLite model: open source, but no external contributions accepted. SQLite's code is entirely public, but all development is done by the core team with no external pull requests. In the age of AI slop, this model -- once dismissed as "not open enough" -- is being reconsidered.
Where Do We Go From Here
There is no silver bullet, but several directions are being explored.
On the technical front:
- Reputation systems: Multiple developers are calling on GitHub to build a karma-like reputation mechanism so that maintainers can quickly assess PR quality based on a contributor's history
- AI detection tools: Tools like the Anti-Slop GitHub Action use rule-based checks and honeypots to automatically filter low-quality PRs
- Contributor gates: Requiring new contributors to prove themselves through small tasks before earning broader contribution access
On the community front:
- Redefining "open contribution": Open source does not have to mean anyone can submit code. Projects can choose to publish their source code while restricting contribution channels, as SQLite does
- Explicit AI usage policies: A growing number of projects now require contributors to disclose AI usage in their contribution guidelines
On the platform and industry front:
- Responsibility of GitHub and GitLab: As core infrastructure of the open source ecosystem, platforms must take on governance responsibilities alongside their promotion of AI tools
- Responsibility of corporate users: Companies that depend on open source software should provide financial and resource support to maintainers, rather than free-riding on their labor
None of these solutions is perfect, and each comes with trade-offs. Raising contribution barriers may block genuinely valuable newcomers. AI detection may produce false positives. Reputation systems may be gamed. But the cost of doing nothing is now staring us in the face.
Conclusion
The true value of open source was never about "anyone can submit code." It has always been about "someone is willing to responsibly maintain code."
As AI drives the cost of generating code to near zero, the pressure on maintainers is growing exponentially. curl shut down a bug bounty program it had run for seven years. GitHub is adding a kill switch to one of its most fundamental features. Autonomous AI agents are farming reputation in the open source ecosystem and even attacking maintainers. All of this is happening right now.
Daniel Stenberg said it most plainly: "The never-ending slop submissions grind down our will to live."
This is not a technology problem. It is a question about how we treat the people who build and maintain the internet's infrastructure for free. AI is stress-testing the limits of the open source model, and the answer will not be generated by a model -- it will have to come from humans.
Related Resources
- Jeff Geerling - AI is destroying Open Source, and it's not even good yet
- The Register - Curl shutters bug bounty program to stop AI slop
- The Register - GitHub ponders kill switch for pull requests to stop AI slop
- InfoWorld - Open source maintainers are being targeted by AI agent as part of 'reputation farming'
- Socket - curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports
- RedMonk - AI Slopageddon and the OSS Maintainers
- GitHub - Anti-Slop Action
