Michael Winser, co-founder of the Alpha-Omega initiative to improve open source software security, addressed the issue of infrastructure sustainability at FOSDEM 2026. The funding models for popular package directories such as PyPI (Python), npm (Node.js), Crates.io (Rust), RubyGems (Ruby), and Maven Central (Java) are currently unable to keep up with the exponential growth in downloads and data volumesource. This poses risks to the stability of their operations and hinders the development of measures to identify malicious packages and safeguard against dependency attacks.
Many package directories operate on the brink of profitability, relying on inconsistent grants, donations, and free resources. Communication channels account for about 25% of costs, followed by data storage (18%), computing power (15%), and security against malicious activity (12%). Only 2% of funds are allocated to developing new features, with documentation preparation not even making it into the top ten expense items.
Winser highlighted the substantial costs of maintaining directories like Crates.io, which handles approximately 125 billion downloads annually, amounting to $5-8 million per year. This doesn’t include the free support provided by services like Fastly, which handles Crates.io traffic at no cost. For PyPI, which serves over 700 thousand packages with a total traffic of about 747 petabytes per year (189 Gbps), the monthly cost of communication channels would be approximately $1.8 million without Fastly’s sponsorship.
Of particular concern is the rise in malicious packages, some even generated using artificial intelligence. The median time from the publication of a malicious package to its removal is 39 hours, allowing ample time for it to spread through the dependency chain. In a notable incident in September 2025, the self-replicating Shai-Hulud worm infected the NPM ecosystem.