
For decades, the software industry treated free and open source software as one of modern engineering’s greatest achievements. Shared libraries and reusable components allowed teams to build faster, collaborate globally, and avoid reinventing the wheel. In many cases, these tools were maintained by communities and made available at no cost.
That model helped shape the modern internet. But today, the same ecosystem faces growing pressure from a new combination of forces: increasingly sophisticated supply chain attacks and the rapid adoption of AI-assisted development.
Open source ecosystems have long attracted attackers because they sit close to developers, credentials, and build systems, so the attack technique itself is not new. What has changed is the scale.
In 2025 alone, more than 454,600 newly identified malicious software packages were detected across public ecosystems[1]. When combined with estimates suggesting that more than 90% of a typical application now consists of third-party code[2], the result is a rapidly expanding attack surface.
At the same time, AI assistants are accelerating software development workflows. Trusted by teams, these tools can list possible solutions, generate boilerplate code, suggest upgrades, or propose fixes. But they also introduce a new kind of operational risk: entire systems can now be built with minimal human curation, limited sanity checks, and only cursory code reviews.
An AI model may recommend a package version that does not exist, suggest an outdated dependency, or reference a library that has already been compromised. Attackers are already exploiting this behaviour, increasingly using AI and autonomous agents to scale and accelerate their own operations. According to recent industry reports, the average time required to launch an attack has fallen dramatically, with some incidents progressing from compromise to execution in a matter of seconds.
This trend is no longer theoretical. Since late 2025, security researchers have observed multiple attacks targeting the software supply chain through AI-assisted techniques. Examples include attacks against the Nx build system, compromised open source packages distributed through Microsoft’s ecosystem, and campaigns designed to manipulate AI-powered coding agents into introducing malicious components into development environments.
The attack no longer depends on directly breaching infrastructure. Instead, it blends into ordinary development workflows. Malicious actors can publish packages with names similar to those generated or suggested by AI systems, knowing that developers working under time pressure may copy and install them without verification. As AI-generated code becomes more common, the software supply chain itself increasingly becomes the attack surface.
That is the real warning surrounding AI-assisted development, and it creates a deeper challenge for the industry: trust at scale.
For years, conversations around software focused primarily on speed: shipping faster, automating faster, scaling faster. AI has amplified this trend dramatically, accelerating everything from code generation to deployment workflows. But attackers are benefiting from the same dynamics. According to recent security research, the average attack now unfolds in approximately 29 minutes, while the fastest recorded compromise in 2025 took just 27 seconds[7] from initial access to impact.
As both development and attacks accelerate, the window for human verification continues to shrink. The modern software supply chain has become so interconnected that trust itself is now critical infrastructure. The challenge is no longer simply building software faster, but ensuring that the components, tools, models, and recommendations we rely on remain worthy of that trust.
Organizations increasingly need to answer difficult questions:
● Where did this code come from?
● Has it been modified?
● Can its origin be verified?
● was the build process trustworthy?
● is the software still actively maintained?
And the blame cannot simply be placed on the open source ecosystem itself. In many ways, it remains one of the most successful collaborative projects in human history. The problem is that the industry continues to depend on open source as if it were free infrastructure with infinite capacity and no maintenance burden. It is not. Critical libraries are often maintained by small teams or even individual contributors. Security reviews are inconsistent. Dependency trees continue to grow larger and more fragile.
That does not mean AI should be abandoned. Used carefully, AI tools can improve developer productivity, assist with remediation, and reduce repetitive work. But they require guardrails, and those guardrails are increasingly well understood.
These include dependency pinning and lockfiles to reduce supply chain drift, Software Bills of Materials for software transparency, and provenance frameworks such as Sigstore and SLSA to verify how artifacts are built and where they originate. Automated review gates and package allowlists further reduce exposure to untrusted components.
As AI systems become more autonomous, additional controls are emerging. Agentic AI requires dedicated governance, as it can be manipulated through prompt injection or used to access or exfiltrate sensitive data when granted broad permissions. Similarly, third-party AI models should be vetted before deployment and monitored at runtime for anomalous behavior, including unexpected network activity or data access patterns.
None of these measures eliminate risk entirely. But together they shift security from an exercise in trust to one of verification. In an ecosystem increasingly shaped by automation and AI-generated code, that distinction may prove essential.
About the Author
Ida is a marketing and community strategist working at the intersection of technology, open source, and developer ecosystems. With more than a decade of experience supporting software conferences, startups, and technical communities across Europe, she specialises in translating complex technical ideas into engaging narratives that connect people, products, and organizations. She currently works as a Regional Representative for NGI ZERO.