One more thing: I'm looking forward to a hearing in Congress about this. The "Private-CISA" repo included AWS keys for at least two different Nightwing contractors, including terraform scripts from another employee with embedded clear text credentials, suggesting there was a practice of sharing credentials.

Somehow I missed this story in my research concerning Nightwing, the Virginia government contractor where the CISA contractor worked.

May 2, 2025: Raytheon, Nightwing to Pay $8.4 Million in Settlement Over Cybersecurity Failures

"The US government on Thursday announced that it has reached a settlement with Raytheon, RTX Corporation, and Nightwing Group in a lawsuit over the companies’ alleged failures to meet cybersecurity requirements for defense contractors.

Raytheon, a subsidiary of RTX Corporation (previously Raytheon Technologies Corporation), and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), allegedly failed to comply with cybersecurity requirements in 29 contracts and subcontracts with the Department of Defense (DoD). Nightwing is a cybersecurity and intelligence company that spun out of RTX.

According to the settlement, between 2015 and 2021, Raytheon did not implement necessary cybersecurity controls on a system used to perform work on DoD contracts. In 2015, the company landed a DHS cybersecurity contract worth $1 billion.

Raytheon and RCSI allegedly not only failed to implement a security plan for the internal development system, but also failed to ensure that it complied with other Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) requirements.

Per DFARS and FAR, contractors are required to apply basic safeguarding to systems that process or store federal contract data, and to provide adequate security for those systems, respectively."

https://www.securityweek.com/raytheon-to-pay-8-4-million-in-settlement-over-cybersecurity-failures/amp/

AI did not create the maintainer burden problem in open source. It accelerated it.

The cost of creating the first version of a contribution is dropping fast. But review, verification, security impact, long-term maintenance, and ownership are still human work.

That asymmetry is where open source is starting to feel the pressure.

I wrote about it here:

https://frenck.dev/open-source-was-not-ready-for-ai-speed-contributions

My lawnmower is cuter than yours