Open source registries like PyPI, npm, and Crates.io lack funds for basic security despite massive growth and malware floods.

FOSDEM talk warns they're on borrowed time — bandwidth/storage eat 40% of budgets, leaving little for defenses against AI-amplified attacks.