The Eight Trillion Dollar Heist
Ninety-seven percent of commercial software depends on open-source code. The companies that profit from it contribute almost nothing to the people who maintain it. The result is not just unfair. It is a civilisational security risk.
The Eight Trillion Dollar Heist
They did not break in. They did not steal anything. They simply took what was offered for free, built empires on top of it, and never looked back at the person who made it possible.
By Ramachandran Rajeev Kumar
There is a number that the technology industry does not like to discuss. It was calculated by researchers at Harvard Business School in 2024, and it sits in a working paper that has been downloaded thousands of times but cited in almost no corporate earnings call, shareholder letter, or annual report.
The number is 8.8 trillion dollars.
That is the demand-side value of open-source software to the global economy. It is what every company that uses open-source code -- which is to say, virtually every company on the planet -- would have to pay if the code they depend on were not freely available. The supply-side cost of creating that same software -- the actual labour required to write, maintain, debug, and secure it -- is estimated at 4.15 billion dollars.
Read those two numbers together. The global economy extracts 8.8 trillion dollars of value from software that cost 4.15 billion dollars to produce. That is a ratio of more than two thousand to one. And the people who produced it -- who are still producing it, still maintaining it, still patching it at midnight on holidays because a zero-day dropped and the internet is on fire -- receive, in the vast majority of cases, nothing.
This is not a market inefficiency. It is the greatest uncompensated wealth transfer in the history of technology. And it is about to break.
The arithmetic of extraction
Let us be precise about what "open source" means in the context of modern commercial software.
Ninety-seven percent of commercial codebases contain open-source components. That is not a typographical error. Virtually every application, every platform, every service sold by every technology company on Earth depends on code that was written by volunteers, released under permissive licences, and incorporated into commercial products without payment, attribution, or obligation.
Seventy-six percent of the actual code in scanned commercial applications originates from open-source libraries. The "proprietary" software that corporations sell, that investors value, that shareholders trade, is three-quarters open-source by volume. The proprietary layer -- the part the company actually wrote -- sits on top like a thin coat of paint on a house built by someone else.
And here is the concentration that should alarm anyone who thinks about systemic risk: five percent of programmers are responsible for over ninety percent of the open-source value created. The entire digital economy -- the cloud platforms, the AI models, the financial systems, the government portals -- rests on the work of a vanishingly small number of individuals, most of whom are not employed to do what they are doing.
The people who hold the floor up
Sixty percent of open-source maintainers are unpaid. Not underpaid. Unpaid. They maintain the libraries that run the world's infrastructure on their own time, with their own equipment, for no compensation.
Sixty percent have quit or seriously considered quitting due to burnout. Sixty-one percent of unpaid maintainers work entirely alone -- no co-maintainer, no backup, no succession plan.
These are not hobbyists tinkering with side projects. These are the people who maintain the plumbing of civilisation.
Consider Denis Pushkarev, the creator of core-js. His library is embedded in over half of the top ten thousand websites on the internet. It has been downloaded billions of times. Every major browser, every major framework, every major application that runs JavaScript in production depends, directly or transitively, on his work.
Pushkarev went to prison in 2019 for a traffic fatality -- a personal tragedy that has nothing to do with his professional contribution. When he was released, his funding had collapsed to approximately four hundred dollars per month. Tidelift, one of the few platforms that channels commercial money to maintainers, froze his payments due to sanctions-related payment processing restrictions. He wrote publicly, in 2023: "Free open-source software is fundamentally broken."
The response from the developer community -- the millions of engineers whose daily work depends on his code -- was not a funding drive. It was, in significant part, abuse. Developers who used his library for free told him he was being entitled for asking to be paid.
Four hundred dollars per month. For maintaining a library that powers half the commercial internet. From an industry whose largest companies report quarterly revenues in the tens of billions.
The security debt
This is not only a moral problem. It is a security catastrophe that is already unfolding.
On March 31, 2026, North Korean operatives compromised the Axios npm package -- one of the most downloaded JavaScript libraries in the world -- by hijacking a single maintainer's account. They injected a remote access trojan that targeted Windows, macOS, and Linux systems. The package receives over one hundred million weekly downloads. The automated scanner at Socket detected the compromise in six minutes. The malicious versions were removed within three hours.
But the attack succeeded not because of a technical vulnerability in npm's infrastructure. It succeeded because the security of a library used by millions of applications rested on the account hygiene of one person. One password. One individual. One point of failure for a hundred million weekly installs.
Two years earlier, the xz-utils backdoor demonstrated the same structural weakness with even greater precision. The attacker did not exploit a bug. The attacker exploited a burned-out maintainer.
Lasse Collin, the sole maintainer of xz-utils -- a compression library embedded in virtually every Linux distribution -- had publicly disclosed that he was struggling with long-term mental health issues. The attacker, operating under the pseudonym "Jia Tan," spent more than two years building trust through legitimate contributions. Sock-puppet accounts were created to pressure Collin into accepting help. The social engineering was patient, methodical, and aimed directly at the most vulnerable point in the entire open-source ecosystem: a single, exhausted human being who had no institutional support, no co-maintainer, and no resources.
The backdoor that was planted -- CVE-2024-3094, CVSS score 10.0 -- would have granted silent remote access to SSH authentication on millions of Linux servers worldwide. It was caught by one Microsoft engineer who noticed that his SSH logins were half a second slower than usual. Not by a corporate security audit. Not by an AI scanner. Not by any of the companies whose infrastructure depended on that library. By one person who was paying attention.
And then there was Log4j. In December 2021, a critical vulnerability in the Log4j logging library -- used by virtually every Java application on the planet -- required emergency patching over the Thanksgiving holiday. The maintainers were volunteers. They were not employed by any of the companies whose products were at risk. They patched the library that powers the commercial internet while the executives of the companies that depend on it were eating turkey with their families.
The United States Senate convened a hearing in February 2022 specifically to address the structural problem of critical infrastructure maintained by unpaid volunteers. Recommendations were made. Frameworks were published. Roadmaps were drafted.
Four years later, the Axios hack demonstrates that nothing fundamental has changed.
The corporate contribution theatre
The technology industry's response to the maintainer crisis has been, in the most charitable interpretation, performative.
In 2025, a coalition comprising Amazon Web Services, Google, Anthropic, Microsoft, GitHub, and OpenAI announced a joint investment in open-source security. The total: 12.5 million dollars. For the entire ecosystem. Shared among six of the wealthiest technology companies on Earth.
Amazon Web Services alone reported approximately 107 billion dollars in revenue in 2024. Its contribution to the open-source ecosystem on which its entire business depends represents a fraction so small that expressing it as a percentage requires scientific notation.
The Alpha-Omega project -- funded by Google, Microsoft, and AWS -- disbursed 4.5 million dollars in grants across all critical open-source projects in 2024. That covered security staffing at ten organisations, including the Python Software Foundation and OpenJS. It is real money, doing real work. Against an 8.8 trillion dollar dependency base, it is a rounding error.
GitHub Sponsors exists as a platform. The money that flows through it reaches twenty-five percent of maintainers -- up from sixteen percent in 2021, but still insufficient to constitute an income for most of them. The proportion of maintainers whose employers explicitly pay them for maintenance work has actually fallen, from twenty-eight percent in 2021 to twenty-four percent in 2024. The trend is moving in the wrong direction.
The industry has mastered the vocabulary of open-source support. It sponsors conferences. It publishes blog posts about community. It assigns developers to contribute patches to high-profile projects. What it does not do, in any systematic or proportionate way, is pay the people who maintain the foundations on which its trillion-dollar valuations rest.
The regulatory reckoning that may make it worse
The European Union's Cyber Resilience Act, which entered into force in December 2024 and begins mandatory compliance in September 2026, introduces liability for software with "digital elements" sold in the EU. The intent is sound: hold software producers accountable for the security of their products.
The execution threatens to compound the maintainer crisis. The exemption for open-source contributors is narrow. Maintainers who accept donations beyond cost recovery, or who process personal data, may fall within scope. The Linux Foundation, the Apache Software Foundation, and the Eclipse Foundation have been classified as "open-source stewards" with compliance obligations. Multiple free software organisations have flagged a chilling effect: volunteers who already receive nothing for their work may now face legal liability for doing it.
The EU is, in effect, proposing to regulate the unpaid labour that the commercial sector refuses to fund. It is asking volunteers to meet compliance standards that corporations with legal departments and security teams struggle to achieve. The likely outcome is not better security. It is fewer volunteers.
The risk of this decade
Every supply chain attack in the past five years tells the same story. Not a story of sophisticated technical exploitation. A story of structural neglect.
The attackers -- whether state-sponsored intelligence operations or financially motivated criminal groups -- have identified the cheapest, most reliable vulnerability in the entire technology stack: the human being who maintains the code that everyone uses and no one pays for.
They do not need to breach a corporate firewall. They do not need to find a zero-day in a hardened production system. They need to find one person -- overworked, under-resourced, and alone -- and either compromise their account or earn their trust. The attack surface is not a software vulnerability. It is a funding gap.
And that funding gap is widening. As AI-generated code accelerates the rate at which new dependencies are created and consumed, the volume of open-source code flowing into production systems is increasing faster than the human capacity to maintain it. More code, more libraries, more transitive dependencies, more single-maintainer projects, more points of failure -- all growing exponentially while the number of people being paid to secure them remains essentially flat.
This is not a technical problem. Technical problems have technical solutions. This is a governance problem. It is the problem of an industry that has built an 8.8 trillion dollar economy on the assumption that critical infrastructure will be maintained for free, indefinitely, by people who can be treated with indifference.
The xz-utils backdoor should have been the alarm. Log4j should have been the wake-up call. The Axios hack -- exploiting the same structural weakness, in the same way, two years later -- proves that the alarm was heard and ignored.
What must change
The solution is not charity. It is not corporate social responsibility. It is not a 12.5 million dollar fund split among six companies whose combined revenue exceeds half a trillion dollars.
The solution is obligation.
Every company that ships software containing open-source dependencies should be required to contribute a percentage of revenue -- not profit, revenue -- to the maintenance of those dependencies. The contribution should be proportional to the depth of dependence. A company whose product relies on three open-source libraries has a smaller obligation than a company whose product relies on three thousand. The funds should flow directly to maintainers, not through corporate foundations that absorb administrative overhead and redirect resources to conference sponsorships.
This is not unprecedented. It is how every other form of critical infrastructure is funded. Roads are maintained through taxes on the vehicles that use them. Electrical grids are funded through tariffs on the energy that flows through them. Water systems are funded through usage charges. Only in software has the industry managed to construct an argument that the infrastructure should be free, the maintainers should be grateful, and the companies that extract billions in value should contribute at their discretion.
The open-source maintainer is not a beneficiary of corporate generosity. The open-source maintainer is the person who holds the floor up while the party happens overhead. And when the floor collapses -- when the next xz-utils backdoor is planted, when the next Axios account is compromised, when the next Log4j emergency lands on Thanksgiving -- it will not be the corporations that pay the price. It will be the users, the citizens, the governments, and the economies that trusted the software those corporations sold them.
The biggest risk of this decade is not artificial intelligence. It is not quantum computing. It is not climate change, though that is real and urgent. The biggest risk of this decade is that the foundation of the entire digital economy is maintained by exhausted volunteers, and the companies that profit from their work have decided that this is someone else's problem.
It is not someone else's problem. It is a bill that is coming due. And when it arrives, the companies that refused to pay will discover that the cost of prevention was a fraction of the cost of collapse.
Ramachandran Rajeev Kumar is Chief Executive of Aarksee Group of Companies, a Saudi Arabia-based conglomerate operating across carbon markets, green sciences, technology, and media. He writes on technology governance, corporate accountability, and the geopolitics of digital infrastructure for The Global Federation.
Editor's Note: The Harvard Business School figure of $8.8 trillion is from a 2024 working paper (HBS 24-038) that has not yet completed journal peer review. All other statistics are from published surveys, official reports, and primary sources verified as of April 1, 2026.