Attach financial incentives to open source metrics and watch the spam flood in.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Package management systems are vulnerable to metric manipulation at scale. The tea.xyz experiment demonstrated how financial incentives led to 150,000+ spam packages flooding npm, RubyGems, and PyPI. Six million fake GitHub stars have been identified, with services selling stars for as little as 10 cents each. These metrics—downloads, stars, dependencies—were designed as quality proxies but cost nothing to manufacture. The problem intensifies as AI coding assistants trained on this data propagate manipulated packages, and as these metrics influence government policy, corporate procurement, and potentially prediction markets. The low-barrier ecosystem that enabled open source growth now enables industrial-scale gaming.

How to Ruin All of Package Management