Why Abby Kearns thinks AI has changed the rules for the open source software supply chain
Abby Kearns has spent more than a decade in the open source world, starting at Pivotal before going on to lead the Cloud Foundry Foundation and later serving as CTO at Puppet. Today she is CEO at ActiveState, a company that focuses on keeping the open source software library supply chain safe.
In the last few months, there have been several major open-source software supply chain attacks. As Kearns wrote on LinkedIn, attacks like the TanStack incident on May 11 appeared to come from a legitimate developer because TanStack's build pipeline had been compromised, allowing malicious code to pass as authentic. As Kearns put it, “The attacker hijacked the pipeline mid-workflow.”
Kearns says those kinds of attacks reinforced her decision to join ActiveState. "Honestly, this is why I joined ActiveState," Kearns told FastForward. "I have watched this risk compound across every infrastructure cycle of the last decade," she said.
AI's changing everything
AI is changing how software is created, as developers are no longer making library decisions themselves, and are increasingly relying on AI coding tools. In a March FastForward profile, software supply expert Cassie Crossley told FastForward that AI coding was only adding to the problem of software safety. "You can't know every single library, and frankly there are not enough security layers built in yet for vibe coding that I would ever trust at the moment."
Kearns sees AI changing the software supply chain in fundamental ways. "You've got a lot more people leveraging AI and AI code generators to write code, and on top of that, you have the increasing exposure of package managers like NPM, which have dramatic downstream modifications on millions and millions and millions of users and consumers and packages," Kearns said. With AI grabbing ever more packages, she says that no one is really looking at what you're using anymore. "You're just kind of pulling in whatever packages that Claude or Cursor or Copilot identifies and puts into the code it creates, and you just kind of move on."
It's a big enough problem to get the attention of IBM and Red Hat, which in May launched Project Lightwell, a $5 billion program to act as a trusted clearinghouse for open source software. It followed the Linux Foundation launching the OpenSSF grant program, a $12.5 million program. Kearns sees their respective commitments as a big step forward when it comes to protecting the software supply chain.
"When institutions of that scale stand up coordinated programs around open source supply chain protection, the consensus has changed. This is no longer treated as a niche security topic. It is a crisis and recognition is finally catching up to the pace at which the exposure has been building," Kearns said.
ActiveState's approach
AI doesn't necessarily bring a new set of problems, but it certainly compounds the existing ones with speed. Companies are unleashing agents to create code faster than ever, creating a more fertile ground for bad actors to take advantage of that speed (and don't forget, they can also move faster with AI).
"It's the exact same problem, just multiply it by a million times because now all of a sudden you have it coming from both sides," she said. What she means is developers and AI coding tools are generating more code and pulling in more libraries than ever, while open source maintainers are simultaneously trying to process a growing flood of pull requests and vulnerability fixes.
~Abby Kearns, ActiveState CEO
Her company is trying to address that by creating a safe place that bypasses some of the danger zones and gives developers and their agents a trusted place to grab those libraries they need to build their software.
At the center of ActiveState's approach is ActiveState Curated Catalog, a curated repository of open source libraries that organizations can use instead of pulling packages directly from the public internet.
It's more than a technology problem though. It also involves educating companies to think more deeply about the problem earlier in the development process. "Where are they pulling those packages? How do you start from the most secure footing and then apply more security as you go through the software development life cycle, versus just hoping you're going to catch everything at the end," she said.