Welcome to the strip mining era of open source security

LLM-powered code scanners are uncovering security vulnerabilities in open source projects at roughly 10x the historical rate. Metabase went from ~10 security reports per month to ~10 per week starting in early 2026, with many being legitimate findings. This 'strip mining' effect means any public codebase can now be bulk-scanned cheaply by anyone willing to spend tokens on AI agents. For OSS maintainers, this means treating every disclosed vulnerability as already public and fixing it immediately. For OSS users, it means budgeting for frequent upgrades, pinning dependencies, practicing defense-in-depth, improving observability, and enforcing least-privilege access. The long-term outcome is more secure software, but the short-term pain is significant — especially for non-commercial maintainers without dedicated security staff.