Safeguard
Open Source Security

The Long Tail of Abandoned Open Source Projects and Enter...

Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.

Vikram Iyer
Security Researcher
7 min read

In March 2024, a Microsoft engineer named Andres Freund noticed that SSH logins on a Debian testing box were taking about 500 milliseconds longer than they should. Pulling on that thread unraveled a nearly two-year campaign to backdoor XZ Utils, a compression library buried so deep in the Linux stack that almost nobody outside a handful of distro maintainers had ever heard of it. The project had one exhausted maintainer, Lasse Collin, who had been publicly asking for help since 2022. An attacker using the name "Jia Tan" answered that call, spent two years building trust as a co-maintainer, and then slipped CVE-2024-3094 into a release. XZ Utils is not a freak occurrence. It is a preview of what happens when the volunteer labor holding up modern software quietly runs out, and enterprises keep shipping the result without ever checking whether anyone is still maintaining it.

What Does "Abandoned" Actually Mean for an Open Source Package?

A package earns the label "abandoned" when there has been no meaningful commit activity for a year or more, open issues and security reports sit unanswered for months, and the project has effectively one person who could respond if something went wrong — a "bus factor" of one. That last part matters more than the calendar. The Linux Foundation and Harvard's Laboratory for Innovation Science ran a Census of open source software in 2020 and found that even among the most widely depended-upon packages in the world, maintainer counts were strikingly thin — many of the top packages that thousands of commercial products rely on are effectively kept alive by one or two people in their spare time. A project doesn't need to be officially archived to be dangerous; it just needs to be one missed email away from having nobody who can ship a fix, review a pull request, or notice that a "helpful" new co-maintainer has bad intentions.

How Widespread Is the Problem Across Enterprise Codebases?

It's far more common than most security teams assume, because open source now makes up the majority of the code running in commercial applications, not a minor slice of it. Synopsys's annual Open Source Security and Risk Analysis has repeatedly found that roughly nine out of ten commercial codebases contain components that are several years out of date, and that a large share of scanned applications include at least one component with no development activity in the past two years. Multiply that by the average enterprise application, which typically pulls in several hundred transitive open source dependencies it never directly chose, and the exposure compounds fast: a team can review and approve ten direct dependencies carefully and still inherit hundreds of indirect ones, several of which haven't seen a commit since a prior presidential administration. Abandonment isn't a rare edge case buried in a long tail — it's baked into the median enterprise SBOM.

Why Do Maintainers Walk Away in the First Place?

Maintainers leave mostly because they're unpaid, exhausted, and never signed up to run critical infrastructure for Fortune 500 companies for free. Tidelift's annual maintainer surveys have found that most open source maintainers receive no financial compensation for the work, many maintain projects on top of a full-time unrelated job, and a meaningful share say they've considered stepping away entirely. Sometimes that frustration turns visible: in January 2022, colors.js and faker.js maintainer Marak Squires deliberately broke his own widely used npm packages — pushing an infinite loop that printed garbled text — after years of feeling that corporations profited from his unpaid work while giving nothing back. Two months later, the maintainer of node-ipc shipped a protestware update, dubbed "peacenotwar," that wiped files on machines with Russian or Belarusian IP addresses in response to the invasion of Ukraine. Neither incident was a hack. Both were maintainers of load-bearing packages reaching a breaking point, with no employer, no support contract, and no succession plan standing behind them.

What Happens When an Abandoned Repo Becomes Someone Else's Attack Surface?

Attackers actively hunt for exactly this gap, because a widely used package with a tired or vanished maintainer lets them ship malicious code under a trusted name instead of exploiting a bug. In 2018, event-stream's original author, worn down by unpaid maintenance, handed control to a stranger who volunteered to help; that new "maintainer" quietly added a dependency called flatmap-stream designed to steal Bitcoin from users of the Copay wallet app, and it rode along inside a package downloaded roughly two million times a week before anyone noticed. In October 2021, attackers compromised the npm account behind ua-parser-js — a library used by Facebook, Microsoft, and Amazon and pulled millions of times weekly — and pushed versions laced with a cryptominer and a password stealer. XZ Utils, described above, is the most sophisticated version of the same play: rather than break in, the attacker simply waited for the door to be left unattended and walked through it as a trusted contributor.

Why Do Traditional Vulnerability Scanners Miss This Risk?

Standard software composition analysis tools miss abandonment because they're built to match known CVE identifiers against version strings, and a package with zero disclosed CVEs looks completely clean regardless of who's behind it. That's the uncomfortable gap between abandonment risk and CVE risk: when Log4Shell (CVE-2021-44228) surfaced on December 9, 2021, Apache Log4j still had a working group of active volunteer maintainers who could triage the flaw and ship a fix within days, however painful that scramble was. An abandoned package facing the same kind of discovery has nobody to do that work at all — no patch, no advisory, no timeline, just a silent CVE that eventually gets filed against a project no one is watching. A scanner reporting "0 known vulnerabilities" for a package that hasn't been touched in four years isn't giving you a clean bill of health; it's telling you nobody has looked hard enough to find one yet.

How Should Security Teams Tell "Abandoned" Apart From "Simply Stable"?

Not every quiet repository is a threat, since some libraries are just small, finished utilities that reached feature-complete years ago and never needed another commit — treating every dormant package as dangerous just buries real signal in noise. The March 2016 left-pad incident is the classic cautionary tale in the other direction: an 11-line npm package used across thousands of downstream projects was unpublished over a naming dispute, instantly breaking builds across the JavaScript ecosystem and proving how much of the supply chain depends on tiny, easily overlooked packages regardless of how "finished" they seem. The distinguishing signal isn't code age — it's whether there is a real, responsive human (or team) behind the package who could act if a vulnerability, a hijacked account, or a malicious pull request showed up tomorrow. A single-maintainer package with no CI, no recent issue responses, and broad downstream usage is a materially different risk than a single-maintainer package that's narrow in scope and has no history of security-relevant changes needed at all.

How Safeguard Helps

Safeguard treats maintainer health and project activity as first-class supply chain signals, not an afterthought bolted onto CVE matching. Instead of only asking "does this version have a known vulnerability," Safeguard continuously evaluates the packages in your SBOM against maintenance indicators — commit recency, maintainer count, unaddressed security reports, ownership transfers, and sudden changes in publishing behavior that resemble the account-hijack pattern behind ua-parser-js or the trust-building pattern behind XZ Utils. That means a security team using Safeguard can see, at a glance, which of their hundreds of transitive dependencies are actively stewarded and which are one abandoned repository away from becoming the next headline. When a maintainer disappears, a package goes silent past a defined threshold, or a suspicious new co-maintainer suddenly gains commit access to something deep in your dependency tree, Safeguard surfaces it before it becomes an incident report — turning the long tail of abandoned open source from a blind spot into something you can actually govern.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.