OSS has moved to a Dark Forest

Frontier AI models can now find software vulnerabilities about as fast as you can pay for the compute to look. A month ago the strategist Drew Breunig argued that this makes cybersecurity what he calls proof of work — a contest settled by willingness to spend on AI models, where defense reduces to a budget question: spend more money on AI protecting your software than your attacker spends on AI exploiting your software. The models he means — the current state of the art like Mythos and what comes next — keep finding exploits as long as you keep paying for tokens. The UK AI Safety Institute's evaluation found exploit finding continued to scale with the token budget — no diminishing returns as the spend expanded, and no leveling in sight. These mechanics appear correct. The conclusion Breunig draws for open source software (OSS) — the libraries in nearly every piece of software you use — does not.

His claim: OSS remains critically important, and it will roughly be defended the way it always has been. That Linus's Law — given enough eyeballs (people's attention), all bugs are shallow — will simply expand to include token spend. And that corporations depending on shared libraries will pool their defensive spend and outpace any individual attacker. This intuition has held for two decades plus, and the mechanism was simple: the greater a package's value at risk — its VaR, the total loss if it is compromised — the more attention it drew from both sides. The two roughly offset.

That equilibrium no longer holds. OSS has moved to the proverbial Dark Forest.

The phrase comes from Liu Cixin's novel The Dark Forest, since borrowed to describe software running in the open and now repurposed here for OSS in general. It names a place where visibility itself invites attack. A place where any move broadcast in the open is a target the moment it is seen. A place where VaR no longer summons a proportional defense — it is the signal that draws the hunter. This is the shape of public software now that security is decided by how much money one is willing to spend. The packages with the most users, the heaviest downstream weight, the most value flowing through them are the ones most worth hunting. And the asymmetry runs entirely in the hunter's favor.

Breunig's whole case rests on one substitution: tokens are the new eyeballs. But eyeballs are basically free (attention of volunteers who freely give their time). The old equilibrium held roughly even because looking cost no one much and the bad actors didn't have enough resources to overcome the volunteers. Tokens change that. The equation now is money and VaR with outcomes that correlate directly to how much one is willing to spend. The equilibrium isn't bending. It has broken.

1. Pooled defense via tokens doesn't actually pool. The VaR of a foundational package — the cryptographic library at the bottom of a billion endpoints, the serialization library inside every web framework — is the sum of the VaR across all end users' deployments of the package. The asymmetry is not that attackers cooperate — they need not. One exploit of a popular package is worth its global VaR — the loss summed across every deployment that runs it, all of it captured for a cost the attacker pays once. One exploit buys a key that opens thousands of doors.

   Defenders could narrow this by pooling, but they have no mechanism. Coordination and cross-organization sharing are slow and legally fraught. The maintainers are almost always a small set of volunteers who are unrelated to the end users. And even granting that coordination could be solved, it will not be solved in time. The asymmetry is live now and scaling now; the structures that would pool a defense — consortia, funded foundations, shared auditing — take time to create. You cannot get from here to there at the speed the threat is moving.

2. Change management is the next bottleneck. Even if the pool could be funded at scale, a widely used OSS project cannot review, merge, and release a continuous stream of AI-discovered patches. Mozilla has hundreds of paid engineers and a custom Mythos-driven harness. They shipped 423 security fixes in April, up from a 20-to-30-per-month baseline — an effort they describe as "long days" for 100-plus people. They could absorb it. Most projects cannot. And Mythos isn't even public yet.

3. The fix lifecycle is itself an attack surface. In a world where exploit-grade vulnerabilities surface faster than deployment windows can patch, you get something resembling Ethereum's mempool — the public staging area where pending transactions sit in the open, visible to anyone, while bots race to exploit those transactions before they are finalized. Every announced patch is a roadmap for the bad actors racing to exploit unpatched deployments before a fix propagates. Fixing in public leaks the bug to whoever did not already have it. Jeff Kaufman documented this at ground level: a kernel patch was independently rediscovered by a second researcher nine hours after the first filed it. The old disclosure cultures — ninety-day coordinated embargoes and Linux's "fix it quietly in the open" — are breaking under the same pressure.

Breunig pairs his pooled-defense argument with an approving citation of Andrej Karpathy: prefer to "yoink" functionality where you can. Yoinking — Karpathy's coinage, since formalized as the backronym YOINK, "You Only Implement Native Knowledge" — is the move where, instead of pulling in a dependency, you have an LLM reimplement just the slice of functionality you actually need, natively, in your own codebase. Karpathy meant it in the small: skip the library for the one function you use. In the dark forest, it does not stay small.

Yoinking is the right move at the code level: if every consumer of a popular library is exposed by the same exploit, not being a consumer is a real win. These re-implementations fragment the attack surface, and the attacker can no longer open thousands of doors at once. Karpathy is correct — and that is exactly the problem, because the security-conscious are going to be the first to leave, and the pool Breunig is counting on hollows from the top.

OSS as we have known it — code published in the open, maintained by volunteers, depended on by everyone — was built for a different threat model. It cannot absorb the new one. What replaces it is not a tiered ecosystem settling into a new equilibrium. It is no equilibrium at all. The long tail goes first — yoinked to zero, every reimplementation locally rational, the OSS commons thinning until there is nothing left worth depending on.

The critical libraries cannot be rescued by a commons that abandoned them. Whatever survives is going to be very different. Maybe something forced into being from outside — insurance and regulation: your cyber policy requires a verified version of library X and does not care that you reimplemented your CSV parser. Or a consortium that tries to pool resources for a few core pieces. These will be forced, not chosen, and they most likely will lag the threat by years. And they will at best enter an endless cycle of cat and mouse where VaR draws the hunter, defenders try to keep up and repeat.

And at the very top — the cryptographic library beneath a billion endpoints — no defensive spend wins. The economics are explicit about this: the larger budget takes it, and no consortium outspends a state. Standardizing on the one verified version everyone uses only builds the richest target that has ever existed. The correction, when it arrives, comes from catastrophe rather than foresight. It overshoots into verify-everything, hits the throughput ceiling, and unwinds. Nothing converges.

This is the defection — the security-conscious leaving. It is also the only rational move left, because the commons is going regardless of what you do. The only choice is whether you leave early or late. So look at what you should yoink now, and how to contain what you cannot. The same AI capability that broke the attacker/defender equilibrium is what makes these moves tractable for a small team. This is the one piece of leverage the defender still has, and the window to use it is open now.

The volunteer-maintained, freely-downloadable, transitively-trusted ecosystem of the last twenty-five years grew in a clearing.

There is no clearing in the forest.