OpenSourceShit Part 2: The Parasites

Part 1 laid out the economics: AI collapsed the cost of producing a plausible contribution to near zero, review capacity stayed flat, and the math broke. That’s true, but it’s also abstract. Nobody gets DDoSed by an economics graph. curl got DDoSed by people. Specific, recognizable, currently-active people.
Here are eight of them. You’ve met all of them. You’ve probably filed a Reddit comment defending one of them without realizing it.
The Ex Stack¶
“Ex-Uber, ex-Google, ex-Shopify, ex-AWS, ex-…” Read the bio before the code. The résumé is a stack trace of departures, and nobody asks the obvious question: if you were actually valuable there, why aren’t you still there?
I’m not talking about layoffs. Layoffs happen to good engineers constantly, that’s not the tell. The tell is the pattern: four “ex-” prefixes in six years, each followed by a founder title, each company producing a product indistinguishable from what an LLM generates when you ask it to “build a SaaS.” The credibility is inherited from the logo, not earned from the output. It’s a résumé built to be skimmed, because the thing it’s attached to can’t survive being read closely.
The Qemu Kid¶
They live in r/osdev. They are building an operating system that will run on everything, solve every driver problem, unify every architecture. Ask to see it.
It’s a single main.c. Sometimes a single Rust file, if they’re feeling modern. The AI wrote all of it in one sitting, one giant undifferentiated blob with no module boundaries, no HAL, no actual driver, because writing an actual driver requires reading a datasheet and the AI doesn’t do that unprompted. The scope of the ambition is inversely proportional to the size of the thing that would need to exist to support it. “Universal OS” compresses to 400 lines because nobody involved has ever had to make a real one boot on real hardware.
But the OS is just the mascot. The actual disease is bigger than osdev: building software for a life you haven’t lived yet.
The productivity app, shipped by someone who has never held a job with more than one deliverable a week to manage. The “get through university” app, built by a kid still in high school, prompting an LLM to describe a registrar’s office they’ve never had to argue with. The dating app, confidently generating a matching algorithm from someone with a few months of dating experience total, a problem they haven’t personally solved even once. The mental health app, mood tracker and crisis hotline integration included, built by someone who will absolutely outburst in the replies the moment you say the onboarding flow is confusing.
That last one is the tell for the whole category. Ask how the OS boots on real hardware, or how the app handles a user in an actual crisis, or how the matching algorithm performs against a real cohort, and the answer is never curiosity. It’s never “let me check.” It’s an outburst. The gap isn’t technical, an LLM can generate a competent-looking crisis flow same as it can generate a boot loader. The gap is that none of them have stood inside the problem they’re solving, and the outburst is what happens when that absence gets tested against something real and doesn’t hold.
The Duplication Lover¶
Usually funded. Usually in their 30s. Usually got a check written against a pitch deck that had “AI-native” in the first line. You open a PR that extracts three copy-pasted blocks into one shared function. You wait.
They complain. Not about a bug you introduced, there isn’t one. They complain about the removal itself, as if the duplication was load-bearing, as if consolidating their own logic into one place is an attack on the codebase rather than a gift to it. This is the same instinct from Part 1’s MSR dataset: 31% of AI-era PR rejections weren’t about broken code, they were about workflow friction. Except here the friction isn’t AI volume, it’s ego. They’d rather maintain the same bug in five files than admit one of the five was unnecessary.
The Serial Forker¶
You’ve seen the post. “I cloned this open source project, added features nobody asked for, and released it under a new name.” No upstream PR. No attribution. No changelog crediting the thing it’s built on top of. Just a fresh README, a fresh star count starting at zero, and a fresh Show HN thread as if the previous three years of work by someone else didn’t happen.
I made a joke about this pattern with a dummy repo: yakot/seal-of-disapproval. It’s not subtle. It wasn’t supposed to be.
The Haiku-Powered Imbecile¶
They will spit complex words at you to sound knowledgeable. The words are correctly spelled and incorrectly assembled.
“Per RFC 4837, if you use Rust, you could PCIe port from 4x to 47x by leveraging the MIMO and overclocking.” That is not a real sentence about anything. RFC 4837 has nothing to do with PCIe. MIMO is a radio antenna concept. “Overclocking a bus lane count” is not a thing that exists. But it reads like confidence, and confidence is the entire product. The knowledge is absent. The cadence of expertise is fully intact. That’s the whole trick, and it works often enough to keep happening.
The Test Bombardier¶
Take an existing library. Point an LLM at it. Generate a thousand tests. Ship a PR titled “improve test coverage.” Post on social media that you “fixed a bug.”
The tests assert nothing meaningful. expect(result).toBeDefined() a thousand times over, green checkmarks stacking up on a coverage dashboard that now says 94% and means nothing. This is the same shape as curl’s bug bounty collapse from Part 1, generated volume with the form of contribution and none of the substance, except here it’s not even trying to find a bug. It’s trying to generate a screenshot.
The Security Advisor¶
Someone recently opened 2,400 pull requests in a single week across every OS project they could find. Every report: critical. Some were already known, already triaged, already sitting in a maintainer’s backlog for the right release window. The rest were flags on untouched, unloved, working-fine code from 1983 that nobody has looked at in decades because nobody needed to.
This is curl’s story from Part 1, just spread horizontally instead of concentrated on one project. Same mechanism: AI makes it free to generate a plausible-sounding report, and plausible is enough to force a human to spend real time ruling it out. Two thousand four hundred times, that week, for one person’s LinkedIn post about “responsible disclosure.”
The Vendor-Lock Reverter¶
I built seuros/kaunta. Someone copied it, not forked it, copied it, hired a handful of junior devs to bolt React onto it, and put back every feature I had deliberately stripped out to keep it a 15MB binary instead of an 8-container stack.
When he ran out of time to maintain what he’d built, he offered me a gig. To work for him. Building the features he’d added back into the thing he took from me.
I laughed for a solid minute. Then I understood why. This is the whole series in one interaction: the parasite doesn’t just consume the work, it eventually tries to hire the host.
None of these eight are hypothetical. Every one of them is a real interaction, sitting in my own GitHub activity if you go looking for it. I’m not linking to any of them. Naming an account and pointing an audience at it turns documentation into a brigade, which isn’t the goal here. The receipts are in my history if you want to go find them. Most readers just want the pattern.
There are more than eight, too. I only wrote the ones I’ve personally lived through. This is a taxonomy built from my own notifications.
They’re not villains either, not really, most of them think they’re contributing. That’s what makes the pattern durable. The Ex Stack thinks the résumé is the work. The Duplication Lover thinks defending their mess is craftsmanship. The Security Advisor thinks 2,400 PRs is diligence, not noise.
curl didn’t close its bug bounty because it hates security researchers. Ghostty didn’t lock its contribution queue because it hates contributors. They closed the door because the people in this list, multiplied by a few thousand, are what’s standing on the other side of it, every single day, at a volume no unpaid maintainer can keep reviewing by hand.
Next: the people who don’t even bother with the pretense of contributing. They just take the name.
🔗Interstellar Communications
No transmissions detected yet.Be the first to establish contact!
Related Posts
OpenSourceShit Part 4: The Closing
MongoDB closed to fight AWS in 2018. Elastic closed to fight AWS in 2021, then reopened in 2024 once the fight was over. Ghostty, tldraw, NetBSD, and QEMU closed in January 2026, and there's no company to make peace with this time. Two different closings, two different endings.
OpenSourceShit Part 3: The Impersonators
Parts 1 and 2 were about people who at least pretend to contribute. This one isn't. Cloned repos, faked commit history, blockchain-rotated malware C2, and a takedown that got re-squatted within a day. The impersonators don't want your codebase. They want your reputation.
OpenSourceShit Part 1: The Math Broke
curl killed its six-year bug bounty. Jazzband shut down. Ghostty, tldraw, NetBSD, and QEMU all closed the door on AI contributions in the same three weeks. This isn't paranoia. It's what happens when the cost of producing a plausible pull request hits zero and review capacity doesn't move.