It’s an interesting legal theory and seems like it would work. However, I would not be comfortable until it is tested in court. LLM models have “seen” an awful lot of code and may not be able to legally do the implementation.
I haven't spent too much time on it, so there's a good chance that I'm wrong, but it doesn't seem to be satire. I think that it's merely depressing and predatory, or depressing and predatory because it's a cynical sales pitch - a conversion funnel - that conflates what could be deemed to be real risks (supply-chain attacks etc.) with major exaggerations. They probably worked with a PR agency to devise this approach and thought that is was a very clever way to capture the attention of this exact community - which it may very well happen if it spurs a heated discussion and people end up mentioning their brand name and visiting their site.
To be clear, engineers should not be required in the least to "maintain mental maps of which packages are safe and which will detonate their employer's IP strategy" simply because in the vast majority of cases they're not co-owners of that business or that strategy. That is overstated and intentionally misleading, I suspect. AGPL obligations depend on how software is combined and distributed or network-served, not on some magical "contamination" event from merely touching a package.
It works. It is hooked up to Stripe. You can upload your package.json and receive a fully cleanroomed set of dependencies to use yourself. It is up to you to determine whether this is a compelling product or a warning to those who care about FOSS.
It’s an interesting legal theory and seems like it would work. However, I would not be comfortable until it is tested in court. LLM models have “seen” an awful lot of code and may not be able to legally do the implementation.
The state of the world is so depressing and I already believe this is satire but I'm only 99% sure. Can someone else confirm?
I haven't spent too much time on it, so there's a good chance that I'm wrong, but it doesn't seem to be satire. I think that it's merely depressing and predatory, or depressing and predatory because it's a cynical sales pitch - a conversion funnel - that conflates what could be deemed to be real risks (supply-chain attacks etc.) with major exaggerations. They probably worked with a PR agency to devise this approach and thought that is was a very clever way to capture the attention of this exact community - which it may very well happen if it spurs a heated discussion and people end up mentioning their brand name and visiting their site.
To be clear, engineers should not be required in the least to "maintain mental maps of which packages are safe and which will detonate their employer's IP strategy" simply because in the vast majority of cases they're not co-owners of that business or that strategy. That is overstated and intentionally misleading, I suspect. AGPL obligations depend on how software is combined and distributed or network-served, not on some magical "contamination" event from merely touching a package.
Rhetoric through and through, in my opinion.
It works. It is hooked up to Stripe. You can upload your package.json and receive a fully cleanroomed set of dependencies to use yourself. It is up to you to determine whether this is a compelling product or a warning to those who care about FOSS.
Good rage bait
Author is
""" Mike Nolan
Chief Executive Officer MalusCorp International Holdings Ltd. """
Also worth linking to his talk at FOSDEM, on which this is based: https://fosdem.org/2026/schedule/event/SUVS7G-lets_end_open_...
Also on youtube: https://youtu.be/9qEtm2zx314