https://fosdem.org/2026/schedule/event/8WJKEH-package-registry-economics
Open source package registries are operating on dangerously thin financial margins, leaving them unable to fund the very security measures needed to protect the global software supply chain, according to Michael Winser, co-founder of Alpha-Omega, a Linux Foundation project dedicated to securing open source infrastructure. Speaking at FOSDEM 2026, Winser warned that major registries including PyPI, npm, Crates.io, RubyGems, and Maven Central are all experiencing exponential growth in usage while their funding and staffing remain effectively flat — a trajectory he described bluntly as “living on borrowed time.” A deep dive Alpha-Omega conducted into registry operations revealed that bandwidth accounts for roughly 25% of total costs, followed by storage, compute, and malware mitigation, while security feature development remains severely underfunded.
The scale of the malware problem facing these registries is striking — between 2019 and January 2025, repositories detected 845,000 malicious packages, with the vast majority targeting npm. It currently takes a median of 39 hours to remove a malicious package once identified, a window wide enough for a self-propagating worm to spread across an entire ecosystem, as demonstrated by the Shai-Hulud outbreak on npm in September 2025. AI-generated code is further accelerating the flood of new packages submitted to these registries, compounding both the storage burden and the challenge of identifying malicious submissions before they cause widespread damage.
Winser walked through several potential revenue models — including per-package fees, subscriptions, and enterprise tiers — but dismissed each as unworkable, noting that any attempt to monetise a registry monopoly would likely drive developers to create alternative, less secure registries. Alpha-Omega currently underwrites a significant portion of security work across the ecosystem, a situation Winser called “distressing” given that a single missed funding round could cripple multiple registries simultaneously. His proposed path forward centers on persuading corporations to treat registry support as a standard operational cost rather than a discretionary charitable donation — though he admitted plainly, “I don’t have the answers.”