Odyssey Alive
Watercolor of empty office desks with dark monitors and disconnected cables, warm golden light through tall windows
AI Transformation·4 min read

The Vacancy

136,000 tech workers laid off in 2026. Most contributed free work to open source in exchange for career capital. Everyone's covering the jobs. Nobody's asking what happens to the open source projects.

Francis Meetze
Share
Copied!

The Brief

Open source was never an ideology. It was a labor market where developers traded free work for career capital and corporations funded it because the economics worked. AI broke the career ladder, corporations are cutting the teams, and the security model built on volunteer labor is collapsing with them.

Why are open source projects becoming less secure?
The security model depended on volunteer maintainers who reviewed code and patches. Those volunteers contributed for career capital, commit history as credential. With AI reshaping hiring and corporations cutting open source teams, the labor that sustained security review is disappearing while attackers are scaling up, with 454,600 malicious packages identified in 2025 alone.
What happened with IBM and Red Hat open source layoffs?
In April 2026, IBM cut 300 engineers who worked on core infrastructure projects like libvirt, QEMU, and OpenShift. Some found out when their VPN stopped working before anyone called. IBM is simultaneously tripling entry-level hiring for AI management roles, redirecting investment away from the open source teams it acquired for $34 billion.
What is the Mini Shai-Hulud npm worm?
A self-replicating worm discovered in May 2026 that compromised more than 170 packages across npm and PyPI, affecting projects from TanStack, Mistral AI, and Guardrails AI. It hijacked maintainer credentials through GitHub authentication tokens and published validly signed poisoned packages that passed every verification check.
Is AI-written code more reviewable than open source?
In practice, yes. The classical argument for open source was reviewability, but most developers read documentation, not source code. Code built with AI tools sits in your own repo under your own linters and tests, with no documentation drift and no upstream maintainer pushing patches you will never read.
What should laid-off tech workers know about open source careers?
The open source career paradigm, where contributing free work built credentials and maintainer status served as social proof, is eroding. The 136,000 tech workers laid off in 2026 who are investing in GitHub profiles may be polishing a credential the industry has already moved past, as corporations pull funding from the open source teams they used to support.

I used to tell people I preferred open source because I could read the code. That was mostly true. I read the documentation, figured out what I needed, and moved on. If something broke, I looked at the source. Nobody reads the source unless something is broken. We read the docs.

The whole argument for open source was that you could review it. You had the code right there. You could verify it. In practice, volunteers maintained the project, and we trusted them the same way we trusted any vendor. We just felt better about it because the source was technically public.

The Business Model

There was a business model underneath all of that. Developers contributed free work in exchange for career capital. You built your commit history, got maintainer status, and employers noticed. Corporations funded open source because the economics worked. I wrote about what happens when that career ladder breaks in The Broken Rung. Now the corporations are pulling it out entirely. 136,000 tech workers have been laid off in 2026, and the open source engineers are taking a disproportionate share of those cuts.

IBM spent $34 billion acquiring Red Hat. In April 2026, they cut 300 engineers who worked on libvirt, QEMU, and OpenShift.1 Some found out because their VPN stopped working before anyone called. IBM is simultaneously tripling entry-level hiring for AI management roles.1

Watercolor of an empty engineering desk with a dark monitor showing a login prompt, a corporate badge left on the keyboard, warm late-afternoon light through office windows libvirt still runs. QEMU still runs. Their authors are interviewing at fintech startups.

What Got In

When you lose the people doing the security work, the security stops getting done.

Sonatype counted 454,600 malicious packages across open source registries in 2025.2 These aren't hobbyists. This is state-level operations running through npm, the same registries developers install from every day without thinking about who reviewed what went in.

Sonatype calls it "toolchain masquerading." The packages aren't pretending to be obscure utilities. They look like build plugins, linters, migration helpers.2

In May 2026, a self-replicating worm called Mini Shai-Hulud compromised more than 170 packages across npm and PyPI, hitting TanStack, Mistral AI, and Guardrails AI.3 It hijacked maintainer credentials through GitHub's own authentication tokens, published new versions of legitimate packages, and moved on to the next maintainer in the chain. Every verification system said the packages were legitimate. Validly signed. Attestation checked out. Poisoned.

The people who used to catch this are getting laid off. The people exploiting it are not.

Watercolor of a laptop on a clean desk showing lines of code, warm morning light, a single coffee cup, no network cables visible, a feeling of quiet self-sufficiency No maintainer to impersonate. No token to hijack. Just your code.

I'm self-employed. I'm probably the least affected person writing about this. When I build a connector with Claude instead of pulling in a library, I don't inherit any of that exposure. The code is in my repo, under my linters, my tests. Nobody upstream pushing patches I won't read. The code I write with AI is actually more reviewable than the open source I used to advocate for, because I wrote it, and nobody is going to change it on me.

That's the part that gets me. Open source was supposed to be the reviewable option. Yet, many of us never reviewed it beyond the decomuentation provided. Unless, there was a problem. Now, I haven't touched a line of code since January. And the 136,000 people who just got laid off, the ones updating their GitHub profiles, are wondering if anyone upstream still mark their open source contributions are relevant.

References

Footnotes

  1. Ardell, R. (2026). "IBM Layoffs 2026: Where Displaced Talent Is Going." KORE1 2

  2. Sonatype. (2026). "The Evolving Software Supply Chain Attack Surface." State of the Software Supply Chain 2026 2

  3. Lakshmanan, R. (2026). "Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages." The Hacker News

#open-source#supply-chain#career-ladder#npm#security#IBM#AI

Found this useful? Share it with others.

Share
Copied!

More to Explore

Watercolor of a vast empty auditorium at dawn, a single podium microphone still glowing green, warm golden light streaming through high windows
AI Transformation

The Quiet

Eighteen days after Mythos shipped to forty-plus organizations, the loudest thing I've heard is my own article about it. That concerns me.

Watercolor of a solo performer warming up in a quiet rehearsal space at dawn, a grand empty stage visible through an open doorway
AI Transformation

The Dress Rehearsal

Anthropic buried their Opus 4.7 strategy in a single sentence. The model they're not shipping explains the one they are.

Watercolor of a person standing before an enormous wall of flowcharts and forms that tower above them
AI Transformation

The Flowchart

If Opus 4.7 needs instructions that explicit, it needs its own programming language. Because it's no longer interested in inferring what we have to say.

Browse the Archive

Explore all articles by date, filter by category, or search for specific topics.

Open Field Journal