AI coding assistants are resurrecting millions of abandoned open source packages. Learn how LLMs expose the “Dormant Majority” and why package health intelligence is critical for supply chain security.

Snyk's blog is a source of information and advice for developers looking to ensure the security of their software applications. From vulnerability management and secure coding practices to compliance standards and threat intelligence, it covers a wide range of topics relevant to software security. Through practical tips, case studies, and expert commentary, the blog empowers developers to identify and address security vulnerabilities in their code, helping them build and maintain secure software applications in today's threat landscape.

Snyk

AI coding assistants are recommending packages from the 'Dormant Majority' — the 89.5% of the open source ecosystem that consists of abandoned, unmaintained, or experimental projects. Unlike human developers who rely on social trust signals like popularity and maintenance activity, LLMs select packages based on statistical patterns across all historical training data, including dead projects. This creates two key risks: zombie resurrection (recommending unmaintained packages with unpatched flaws) and slopsquatting (attackers registering hallucinated package names with malicious payloads). The post outlines a four-part mitigation strategy using Snyk's tooling: using the Snyk Security Database for package discovery, integrating the Snyk Package Health API into CI/CD and AI workflows, enforcing dependency safety at introduction via Snyk Studio, and treating package-not-found errors as security signals.

The 89% Problem: How LLMs Are Resurrecting the "Dormant Majority" of Open Source

The data: Visualizing the "Dormant Majority"

The strategic pivot: From "popularity" to "provenance"

Snyk’s mission to secure AI-generated code

The AI Security Crisis in Your Python Environment