The Hidden Costs of Package Registries

Open source package registries (npm, PyPI, Maven Central, crates.io, RubyGems, and others) collectively serve over 10 trillion downloads in 2026, yet remain funded primarily by donations and small volunteer teams. The OpenSSF-affiliated Sustaining Package Registries Working Group outlines the hidden operational complexity behind registries — identity management, namespace protection, supply chain security, availability, and more — and warns that AI is accelerating both legitimate consumption and malicious supply chain attacks. Recent incidents like the Axios compromise and LiteLLM attack illustrate the growing threat. The post calls on commercial stakeholders to become paying customers to ensure long-term sustainability of this critical shared infrastructure.