The Year Offensive AI Started Rewriting Open Source

Three signals landed in a single month, and together they describe a shift in how software is distributed, consumed, and trusted.

On April 7, Anthropic announced Mythos Preview and demonstrated autonomous vulnerability discovery in production kernels. On April 13, a researcher publishing as “dp” let OpenAI’s Codex loose on a Samsung TV and watched it chain six steps from browser shell to root. On April 14, Cal.com closed its source code after five years of being an open-source success story. On March 30, a developer named Dani Akash had already shown that one line of config in your package manager would have blocked eleven of the twenty-one biggest npm supply-chain incidents in history.

Offense, response, counterweight. That is the shape of the current moment.

Offense is compounding

As we explored in An AI Found Five Linux Kernel Bugs. Now What?, the capability curve was already visible before Mythos. A single researcher with Claude found a 23-year-old Linux kernel bug. That was the preview. Mythos is the production version.

Then came the Samsung TV post. A researcher points Codex at an ARM firmware tree, a live shell, and a build environment, and walks away. The agent enumerates devices, notices a world-writable kernel driver called ntksys exposed through a MODE="0666" udev rule, reads /proc/cmdline to learn the physical memory layout, confirms the primitive by remapping a known-good address, overwrites the browser process’s credential structure to become uid=0, and wraps a static ARMv7 binary in memfd to slip past Tizen’s execution-prevention. No shellcode. Pure data-only escalation, the kind of technique that assumes every modern mitigation (NX, CFI, UEP) is already in place.

The technical feat is not the story. The economics are. Anthropic reported the OpenBSD discovery run cost under $20,000. Morgan Ellis’s independent analysis put the per-bug cost below $50 at scale. Linus’s Law, the axiom that “given enough eyeballs, all bugs are shallow,” assumed human attention was the bottleneck. When attackers can rent more attention than defenders can muster, publishing the blueprint stops being protective. It starts being the attack surface.

That is the argument Cal.com made.

The response: walls go up

Cal.com’s CEO Bailey Pumfleet framed it in one line that every commercial OSS maintainer now has to answer:

“Open source code is basically like handing out the blueprint to a bank vault. Now there are 100x more hackers studying the blueprint.”

The trigger Pumfleet cites is Anthropic’s Mythos announcement. He writes that AI “uncovered a 27-year-old vulnerability in the BSD kernel, one of the most widely used and security-focused open source projects, and generated working exploits in a matter of hours.”

A careful reader should pause here. Two different BSD findings have been conflated in public commentary. The 27-year-old bug is in OpenBSD’s TCP SACK implementation, a signed-integer overflow that produces a null-pointer denial of service. No CVE has been issued for it yet. The remotely exploitable flaw that hands you a root shell is a separate, roughly 17-year-old bug in FreeBSD’s NFS kgssapi module (CVE-2026-4747). Both came from Mythos. Conflating them compresses a serious DoS into a cinematic RCE, which makes the rhetorical case stronger than the technical one.

The findings are real. The framing is compressed. Both can be true at once.

The harder question is why Cal.com specifically, and why now. As AI Governance Is Cybersecurity argued, security posture and governance posture have collapsed into a single discipline. Cal.com’s pivot is the first high-profile case of that collapse forcing a distribution-model decision. But Cal.com also published Cal.diy, an MIT-licensed fork for hobbyists, at the same moment it closed the main tree. If the argument is that AI can systematically scan open codebases for vulnerabilities, a publicly forked codebase of the same scheduling domain remains scannable. The security argument does not survive on its own terms.

The more honest read is that security was the accelerant for a commercial decision already in flight. Cal.com has spent eighteen months building Teams and Enterprise tiers. Cal.diy is routed, in its own docs, toward hobby users while commercial customers are steered to the paid product. The closed-source announcement completes an arc the company was already walking.

None of this makes the security rationale fake. It makes it partial. Mythos gave Cal.com a defensible reason to do what its business model already wanted. Expect more of this pattern wherever a company (a) handles regulated data, (b) can absorb the community cost, and (c) perceives the offense/defense gap as durable. Postgres, Kubernetes, Linux, Django, React, Svelte — none of those will close. The moves will concentrate at the commercial edge of OSS, not the civic core.

The counterweight: one line of friction

Walling off code is one response. Adding friction to the distribution path is another, and it scales to everyone.

Dani Akash’s post on the simplest supply chain defense is the quietest of the three signals and the most actionable. His claim: setting minimumReleaseAge = 7 days in your package manager would have blocked eleven of the twenty-one major npm supply-chain incidents of the past eight years. Axios (March 2026, live for under three hours). Nx/S1ngularity (August 2025). tj-actions/changed-files (March 2025). Ultralytics, Solana web3.js, Ledger Connect Kit, ua-parser-js. The pattern he names is smash-and-grab: a maintainer account gets compromised, a malicious version ships, the community notices within hours, the package is yanked. A seven-day cooldown turns that into a bet the attacker almost always loses.

As Supply Chain, Two-Front Crisis argued, the attack surface now spans packages and models. Akash’s defense is temporal, not cryptographic, and that is why it works at scale. It does not require registry changes, reproducible builds, or signing infrastructure. It requires one config line in Bun, npm (v11.10+), pnpm (v10.16+), or Yarn 4 (v4.10+).

Three caveats belong in any honest endorsement. First, urgent security patches are also delayed seven days, which means your defender’s clock loses the same speed the attacker’s does. Any serious deployment needs an override path for triaged CVE fixes. Second, Go, Maven, Gradle, and Composer do not support this. Polyglot organizations end up with JavaScript hardened and everything else not. Third, the defense fails against long-dwell attacks. XZ Utils, SolarWinds, 3CX, Log4Shell — none of those are in the eleven that get blocked. They are a categorically different problem that Clinejection and the New Supply Chain Agent Surface begins to map.

With those caveats, the policy is still the highest cheap-defense ratio available in 2026. Pair it with Renovate’s minimumReleaseAge or Dependabot’s cooldown, and ship an allowlist for emergency patches.

The pattern that is emerging

Name the asymmetry plainly: offense compounds through automation; defense still runs on human cycles. Cal.com responded by removing the blueprint. Akash responded by changing the clock. Anthropic, in the same week, announced Project Glasswing — $100M in Mythos credits and $4M in OSS security donations, distributed through twelve founding partners including AWS, the Linux Foundation, and the Apache Software Foundation. That is the same pattern as Cloudflare Makes AI Security Governance Table Stakes: infrastructure vendors converging on governance as the durable layer.

Three moves, three motivations, one direction. Governance is becoming the distribution model.

I would hold the “wave of closings” thesis loosely. The April 2026 moment is a commercialization event, not a capability event — academics published LLM zero-day exploitation results in mid-2024 (arXiv 2406.01637), and defenders get AI-accelerated too. But the signal is clear enough to act on now. If your organization ships a commercial-OSS product, the question is no longer whether to publish. It is which parts to publish, which parts to gate, and what provenance you can attest to either way. If your organization consumes OSS, the question is how much temporal friction you can afford, where you cannot afford it, and who owns the override.

The worst move is to treat open source as binary. Close everything or publish everything are both concessions to panic. The companies that win the next twelve months will be the ones with the most granular answer to the question Cal.com just asked in public.

---

This analysis synthesizes Cal.com Goes Closed Source (April 2026) by Bailey Pumfleet, Codex Hacked a Samsung TV (April 2026) by Calif Blog, The Simplest Supply Chain Defense (March 2026) by Dani Akash, and Mythos Preview (April 2026) by Anthropic.

Victorino Group helps teams design AI-era security posture without abandoning open source on reflex. Let’s talk.