tea.xyz has released new ecosystem findings warning that 2026 will represent a critical inflection point for the global open-source software supply chain, as accelerating AI-driven development collides with maintainer burnout, rising supply-chain attacks, and growing regulatory pressure.
Based on insights from tea.xyz’s real-time dependency graph, which maps millions of open-source packages and their interdependencies, the report identifies a sharp escalation in AI-generated code submissions, coordinated abuse of package registries, and systemic sustainability risks across the software infrastructure that underpins the modern internet.
Together, these trends are placing unprecedented strain on open source at a moment when it has never been more essential.
AI-assisted development has dramatically increased software output, making it trivial to generate pull requests, bug reports, and even entire packages. However, review, accountability, and long-term maintenance have not scaled at the same pace.
tea.xyz data shows that while automated tools accelerate code creation, validation remains largely manual, time-intensive, and increasingly unsustainable for maintainers.
Industry leaders have publicly echoed these concerns. Daniel Stenberg, creator of curl, has documented a surge in low-quality, AI-generated submissions. Maintainers of major projects such as Electron report rising proposal volumes alongside declining signal-to-noise ratios.
A recent GitHub survey of more than 500 open-source maintainers found that spam mitigation and AI-generated “noise” are now emerging as core operational risks for critical infrastructure projects.
tea.xyz’s findings align with a wave of recent security disclosures highlighting large-scale exploitation of public package registries.
Amazon security researchers recently identified over 150,000 malicious npm packages designed to game crypto-based incentive systems, creating self-replicating dependency loops that polluted more than 1% of the npm ecosystem.
Earlier this year, the “Shai-Hulud” worm compromised legitimate packages using stolen developer credentials, impacting libraries with billions of weekly downloads.
“These incidents show how easily automation can be weaponized against open source,” said Tim Lewis, co-founder of tea.xyz. “Attackers no longer need sophisticated exploits. At scale, automation alone is enough.”
The long-standing “Nebraska Problem” — where widely used digital infrastructure is maintained by underfunded or unpaid individuals — continues to intensify.
tea.xyz analysis reveals that nearly half of npm packages with more than one million monthly downloads are still maintained by a single person.
Recent examples include:
“Organizations depend on open source at massive scale, but the responsibility still falls on individuals,” Lewis said. “That mismatch is no longer sustainable.”
At the same time, regulatory expectations are rising rapidly. Initiatives such as U.S. Executive Order 14028, NIST’s Secure Software Development Framework, and CISA’s Open Source Software Security Roadmap are pushing organizations toward auditable, transparent, and secure software supply chains.
However, according to recent Linux Foundation research, most organizations still lack the governance structures required to safely manage open-source dependencies — even as those dependencies power mission-critical systems across finance, healthcare, and government.
tea.xyz aims to help developers, maintainers, and enterprises address these challenges by improving sustainability, accountability, and visibility at the infrastructure layer.
“Open source isn’t failing,” Lewis added. “But it is changing. The systems that supported it for decades must evolve — and in 2026, that reality becomes unavoidable.”
Founded by Tim Lewis and Max Howell, the tea Protocol is a decentralized technology framework designed to secure and sustain the open-source ecosystem in the AI era.
tea addresses the Nebraska Problem, where software relied upon by millions is often maintained by a small number of underfunded, unrecognized contributors. Through a real-time dependency graph, tea maps the global open-source ecosystem to identify the most critical and deeply embedded projects in the software stack.
By combining reputation-based systems, aligned economic incentives, and decentralized infrastructure, tea enables developers and maintainers to earn rewards proportional to the real-world impact of their contributions — while improving transparency, accountability, and supply-chain security.
As AI accelerates software creation and deployment, tea extends beyond dependency mapping to support secure, verifiable distribution of open-source software, ensuring provenance, trust, and resilience at global scale.
By applying decentralized, Web3-native principles to open source, tea.xyz is building foundational infrastructure to protect contributors, strengthen security, and support the next generation of internet software.
Based on insights from tea.xyz’s real-time dependency graph, which maps millions of open-source packages and their interdependencies, the report identifies a sharp escalation in AI-generated code submissions, coordinated abuse of package registries, and systemic sustainability risks across the software infrastructure that underpins the modern internet.
Together, these trends are placing unprecedented strain on open source at a moment when it has never been more essential.
AI Growth Is Outpacing Maintainer Capacity
AI-assisted development has dramatically increased software output, making it trivial to generate pull requests, bug reports, and even entire packages. However, review, accountability, and long-term maintenance have not scaled at the same pace.
tea.xyz data shows that while automated tools accelerate code creation, validation remains largely manual, time-intensive, and increasingly unsustainable for maintainers.
Industry leaders have publicly echoed these concerns. Daniel Stenberg, creator of curl, has documented a surge in low-quality, AI-generated submissions. Maintainers of major projects such as Electron report rising proposal volumes alongside declining signal-to-noise ratios.
A recent GitHub survey of more than 500 open-source maintainers found that spam mitigation and AI-generated “noise” are now emerging as core operational risks for critical infrastructure projects.
Supply-Chain Abuse Is Accelerating at Scale
tea.xyz’s findings align with a wave of recent security disclosures highlighting large-scale exploitation of public package registries.
Amazon security researchers recently identified over 150,000 malicious npm packages designed to game crypto-based incentive systems, creating self-replicating dependency loops that polluted more than 1% of the npm ecosystem.
Earlier this year, the “Shai-Hulud” worm compromised legitimate packages using stolen developer credentials, impacting libraries with billions of weekly downloads.
“These incidents show how easily automation can be weaponized against open source,” said Tim Lewis, co-founder of tea.xyz. “Attackers no longer need sophisticated exploits. At scale, automation alone is enough.”
The Maintainer Sustainability Crisis Deepens
The long-standing “Nebraska Problem” — where widely used digital infrastructure is maintained by underfunded or unpaid individuals — continues to intensify.
tea.xyz analysis reveals that nearly half of npm packages with more than one million monthly downloads are still maintained by a single person.
Recent examples include:
- The resignation of libxml2’s sole maintainer
- Temporary development pauses across popular Kubernetes tooling due to burnout
- Chronic underfunding of critical projects such as FFmpeg, despite its central role in global media and streaming infrastructure
“Organizations depend on open source at massive scale, but the responsibility still falls on individuals,” Lewis said. “That mismatch is no longer sustainable.”
Regulatory Pressure Raises the Stakes in 2026
At the same time, regulatory expectations are rising rapidly. Initiatives such as U.S. Executive Order 14028, NIST’s Secure Software Development Framework, and CISA’s Open Source Software Security Roadmap are pushing organizations toward auditable, transparent, and secure software supply chains.
However, according to recent Linux Foundation research, most organizations still lack the governance structures required to safely manage open-source dependencies — even as those dependencies power mission-critical systems across finance, healthcare, and government.
tea.xyz aims to help developers, maintainers, and enterprises address these challenges by improving sustainability, accountability, and visibility at the infrastructure layer.
“Open source isn’t failing,” Lewis added. “But it is changing. The systems that supported it for decades must evolve — and in 2026, that reality becomes unavoidable.”
About tea.xyz
Founded by Tim Lewis and Max Howell, the tea Protocol is a decentralized technology framework designed to secure and sustain the open-source ecosystem in the AI era.
tea addresses the Nebraska Problem, where software relied upon by millions is often maintained by a small number of underfunded, unrecognized contributors. Through a real-time dependency graph, tea maps the global open-source ecosystem to identify the most critical and deeply embedded projects in the software stack.
By combining reputation-based systems, aligned economic incentives, and decentralized infrastructure, tea enables developers and maintainers to earn rewards proportional to the real-world impact of their contributions — while improving transparency, accountability, and supply-chain security.
As AI accelerates software creation and deployment, tea extends beyond dependency mapping to support secure, verifiable distribution of open-source software, ensuring provenance, trust, and resilience at global scale.
By applying decentralized, Web3-native principles to open source, tea.xyz is building foundational infrastructure to protect contributors, strengthen security, and support the next generation of internet software.
Suggest to you