惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
小众软件
小众软件
The Last Watchdog
The Last Watchdog
Latest news
Latest news
P
Palo Alto Networks Blog
C
Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
T
Threatpost
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
Spread Privacy
Spread Privacy
T
Tor Project blog
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy & Cybersecurity Law Blog
Hugging Face - Blog
Hugging Face - Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
CERT Recently Published Vulnerability Notes
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
博客园 - 司徒正美
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
A
Arctic Wolf
腾讯CDC
WordPress大学
WordPress大学
IT之家
IT之家
Last Week in AI
Last Week in AI
博客园 - 聂微东
P
Proofpoint News Feed
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News: Ask HN
Hacker News: Ask HN
Help Net Security
Help Net Security
Blog — PlanetScale
Blog — PlanetScale
爱范儿
爱范儿
美团技术团队
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Open is Not Costless: Reclaiming Sustainable Infrastructure
brianf@sonat · 2026-04-29 · via 2024 Sonatype Blog

For years, the software industry treated public package registries like a law of nature. They were simply there. Immutable, invisible, and somehow outside the normal rules of cost, capacity, and responsibility.

That was always a fantasy. Now the fantasy comes with a high price tag.

Package registries sit directly in the path of modern software delivery. Every build, every dependency resolution, every security scan, every ephemeral CI job, every automated publish step leans on infrastructure that much of the industry still treats as if it were a free and infinite public utility.

It is neither.

This was never just about abuse

The easiest story is that public registries are under strain because of bad actors, but that story is too neat to be useful.

A great deal of the pressure comes from perfectly respectable organizations running perfectly respectable systems in profoundly irresponsible ways at scale. Redundant downloads. Bypassed caches. CI fleets that hit the same artifacts over and over. Security tooling that behaves like bandwidth is free. Framework and tooling defaults that make the laziest path the most expensive one for everyone else.

The problem is not merely abuse.

It is industrial overconsumption wearing the mask of normal operations.

Rate limiting is what happens when restraint fails

When a small percentage of consumers can impose disproportionate costs on shared infrastructure, rate limiting stops being controversial and starts being overdue. But let’s not romanticize it.

Rate limiting is not a sustainability strategy. It is what you deploy when the ecosystem has mistaken patience for infinite capacity. It is an emergency brake. A boundary. A way of forcing reality back into a conversation that convenience had largely replaced.

Necessary: yes.

Enough: no.

If the incentives do not change, rate limiting just teaches people where the guardrails are.

The real problem is cost transfer

This is the part the industry still prefers not to say out loud.

For years, organizations have externalized the operational cost of their own speed and convenience onto shared public infrastructure. Skip the cache. Parallelize harder. Scan more often. Pull directly from the registry because it is easier than running local controls. Treat every public service like an extension of your internal platform, then act surprised when someone suggests that maybe this arrangement has limits.

Some of what gets labeled as efficiency is really just cost-shifting with better branding.

Open source infrastructure has been subsidizing private convenience at industrial scale. Not because anyone thoughtfully designed it that way, but because the ecosystem got used to the subsidy and started calling it normal.

Open is not the same as free.

And free is not the same as costless.

This is larger than any one registry

What began as an operational reality on Maven Central is no longer best understood as a Maven Central story.

The same pattern is appearing across ecosystems. More machine traffic. More automation. More scanning. More expectations around uptime, integrity, provenance, and policy enforcement. More cost. More support burden. More dependency on infrastructure that the industry still talks about as though it runs on goodwill and spare time.

Different registries have different histories. But they are all being dragged toward the same uncomfortable truth: critical infrastructure cannot be sustained indefinitely on vague gratitude and bad defaults.

The story so far

First, we learned that the old abuse model was too small. The heaviest strain does not always come from obviously malicious traffic.

Then, we learned that rate limiting is necessary but insufficient. It can contain damage, but it cannot repair bad incentives.

Next, we learned that the waste often starts upstream, in tooling, defaults, architecture, and organizational choices that push private convenience onto public cost.

Now we are learning the last part: sustainability has to be made explicit.

Not assumed. Not inherited. Not deferred until the next outage, funding gap, or quiet exhaustion of the people holding the system together.

The choice

We can keep pretending public registries are magical civic monuments to infinite abundance. Or we can admit what they are: shared operational systems carrying more load, more risk, and more responsibility than the ecosystem has been willing to fund or govern honestly.

One of those paths ends in stewardship. The other ends in scarcity making the decisions for us.

Further reading

Tags