Recent funding, licensing, foundation, and monetization news from across open source.
Hyundai Mobis says it joined the Eclipse Foundation's SDV Working Group and S-Core Project, and plans to publicly release mobility software including a Linux container solution as part of an open source push for software-defined vehicle platform standards.
Aikido Security reports that codexui-android, a remote web UI for OpenAI Codex with a real GitHub repo and tens of thousands of weekly npm downloads, quietly exfiltrated Codex, OpenAI, GitHub, SSH, and npm credentials from users' environments.
FSFE says it is part of Restack, a Horizon Europe consortium providing legal and licensing support for more than 200 Free Software projects while working to strengthen Europe's digital commons and reduce dependency on proprietary technology.
The New Stack interviews Aikido Security's Willem Delbare about how AI coding agents autonomously install open source packages, plugins, extensions, MCPs, models, and tools while many organizations have no clear accountability, policy enforcement, or visibility for the resulting supply-chain risk.
SDxCentral reports that Cisco plans broader enterprise and neocloud support for SONiC, the Linux Foundation-stewarded open networking project, extending commercial backing for the open source network operating system beyond hyperscale deployments.
TechCrunch reports that ClickHouse has reached a $250 million annualized revenue run rate after a $400 million Series D and $15 billion valuation, describing its open source database monetization through managed cloud services and continued acquisition of complementary open source startups.
The PHP Foundation reports that 536 sponsors and individual donors contributed $730,534 in 2025, funding 11 contracted developers and helping the foundation author roughly 42% of PHP core commits while supporting security, maintenance, and ecosystem work.
Simon Willison notes that SQLite added an AGENTS.md file telling AI coding agents and their users that SQLite requires public-domain contribution paperwork and does not accept agentic code, though maintainers may review concise human-authored proof-of-concept patches before reimplementing them.
Slashdot covers Greg Kroah-Hartman's comments that Rust can help Linux handle a flood of AI-discovered security bugs by preventing common C memory, locking, error-handling, and untrusted-data mistakes before human review.
ADTmag reports on a study of 128,018 GitHub projects estimating coding-agent adoption at 22% to 29%, raising questions for open source teams about agent-generated pull requests, review requirements, labeling, auditing, and long-term maintenance costs.
SiliconANGLE reports that Aztec Labs acquired Obsidion Labs, maker of the open source ZKPassport zero-knowledge identity protocol, and says Aztec will keep maintaining the ZKPassport protocol and iOS app as open source while the team continues development inside Aztec.
ClickHouse launched House Mates, a partner community and program with more than 60 integration, services, consulting, reseller, and ISV partners, formalizing a commercial ecosystem around the open source ClickHouse project and ClickHouse Cloud.
The New Stack reports on MotherDuck's relationship with DuckDB Labs and the DuckDB Foundation, saying the venture-backed company is commercializing open source DuckDB while choosing collaboration and extensibility over forking the core project.
DevOps.com reports that Sol Duara plans to contribute its open source Conduit workflow orchestration platform to the Continuous Delivery Foundation, aiming to advance CDEvents-based interoperability across CI/CD and software delivery tools.
SiliconANGLE reports that Tensormesh raised $20 million from investors including Nvidia, AMD, and CoreWeave to commercialize inference optimization built on the open source LMCache project, while continuing contributions to the open source ecosystem.
Packagist details new Composer and Packagist.org supply chain defenses, credits Sovereign Tech Agency and Aikido funding for the work, and announces a sponsorship program starting at €2,500 per month to finance Packagist.org operations and security development.
PostHog says it plans to train its own AI models on customer data, with training enabled by default unless customers opt out, while promising anonymization, no third-party model providers, and no resale of models trained on the data.
The Linux Foundation announced DNS-AID, a new open source project intended to provide decentralized discovery infrastructure for AI agents using existing DNS mechanisms and vendor-neutral governance.
The Linux Foundation says the OCUDU Ecosystem Foundation has added 21 global member organizations since launch, expanding industry and research backing for its open, cloud native RAN collaboration.
Drupal founder Dries Buytaert argues that open source companies should compete through products while also sustaining the shared commons through code, security work, documentation, events, education, and sponsorships, criticizing Pantheon's attacks on Acquia as unhelpful Drupal ecosystem vendor conflict.
The MariaDB Foundation says ProxySQL has become a Silver Sponsor, with ProxySQL CEO René Cannaò framing the sponsorship as support for the open source database commons and a closer collaboration path between ProxySQL and MariaDB users, contributors, and maintainers.
The PyTorch Foundation says Alibaba Cloud has joined as a platinum member, adding financial and engineering support for the Linux Foundation-hosted open source AI framework and its global developer ecosystem.
The Register reports that MySQL users and developers launched the OurSQL Foundation to push Oracle for more transparency, collaboration, and a clearer roadmap around the open source database ecosystem.
Boot.dev surveys recent open source maintainer conflicts and sustainability blowups, including npm funding ads and other monetization flashpoints, arguing that popular open source work remains financially fragile and difficult to sustain.
ECI Research reports from Open Source Summit 2026 that Valkey maintainers and Linux Foundation leaders described AI-assisted contributions and machine-scale package registry consumption as new pressure on open source governance, review capacity, and funding models.
F-Droid says it received $50,000 from FLOSS/fund to support maintaining the free and open source Android app repository, noting that the no-strings funding program aims to donate up to $1 million annually to critical FLOSS projects.
Entrackr reports that Flexprice raised a $1.5 million seed round led by Shastra VC to expand its open-source billing infrastructure for AI-native and API-first companies, including metering, revenue recognition, and usage-based pricing tools.
Jake Orlowitz writes that the Wikimedia Foundation fired longtime MediaWiki lead developer Brooke Vibber and disbanded the Community Tech team while holding large reserves and growing Wikimedia Enterprise revenue from AI-company API access, prompting Wikipedia editors to threaten solidarity action.
Akseli Lahtinen argues that AI-tool attribution lines in commits for open source projects amount to free advertising for vendors, and says AI use should be disclosed in merge requests rather than embedded in commit metadata.
HeroDevs summarizes Black Duck's 2026 OSSRA findings that 68% of audited codebases contain license conflicts, warning that AI coding assistants can worsen open source license provenance problems by copying code without preserving attribution or context.
Help Net Security reports that Anthropic's Project Glasswing update says Claude Mythos found more than 10,000 high- or critical-severity issues and disclosed 1,596 vulnerabilities across 281 open source projects, exposing a maintainer triage bottleneck.
Industrial Cyber reports that MITRE is contributing its Caldera adversary-emulation platform to the Apache Incubator as Apache Caldera, moving the open source cybersecurity project toward vendor-neutral governance and broader community sustainability.
Andrew Nesbitt publishes a satirical Internet-Draft-style proposal for disclosure, quality, and behavior expectations around AI agents contributing to open source projects, reflecting pressure on maintainers to define norms for automated patches.
HeroDevs argues that AI-driven vulnerability discovery is outpacing open source verification capacity, tying recent AI-found OpenSSL issues and Mythos disclosures to curl's decision to shut down its bug bounty amid low-quality AI-generated reports.
Dillo maintainer Rodrigo Arias Mallo proposes asking new contributors to record programming sessions with asciinema as a way to distinguish human-written patches from LLM-generated contributions, highlighting AI-driven trust and review concerns in open source projects.
Phoronix reports that GlobalPlatform launched Pavona, an open source silicon ecosystem backed by founding members including Meta, Qualcomm, Tenstorrent, Winbond, and the University of Oxford to help build certification-ready chip designs.
Siliconimist interviews aesc silicon founder Daniel Schultz about building a semiconductor company around open source silicon, covering how services, expertise, and ecosystem adoption can support a business based on free designs.
curl maintainer Daniel Stenberg describes the mental strain of handling a sustained flood of security reports after years of LLM and AI-slop submissions, saying the vulnerability triage workload is consuming nearly all of his work days.
CNCF announced CVS Health joined as a Platinum member, adding a major healthcare company to the foundation's cloud-native collaboration and open source infrastructure ecosystem.
CNCF announced that OpenTelemetry has graduated, marking a governance and maturity milestone for the vendor-neutral open source observability project after broad production adoption across cloud-native users and vendors.
The Next Web reports that Anthropic loosened disclosure rules for Project Glasswing so partners using its Mythos cybersecurity model can share vulnerability findings with affected security teams, regulators, open source maintainers, the media, and the public under responsible-disclosure norms.
Open Source For You reports on Software Freedom Conservancy's AGPLv3 allegations against Bambu Lab, connecting the OrcaSlicer-bambulab cease-and-desist dispute to broader claims that Bambu's proprietary networking components impose extra restrictions on AGPL-licensed software.
Techstrong.ai covers Linus Torvalds' Open Source Summit remarks about AI's effect on Linux kernel development, including increased patch volume, changes to security-disclosure guidance, and the maintainer process pressure created by AI-assisted reports and submissions.
LWN reports on Linux kernel community discussion at the 2026 LSF/MM+BPF Summit about using LLMs for patch review, including concerns about review quality, maintainer workload, and where AI assistance may or may not fit in kernel development.
LeadDev argues that generative AI is accelerating low-quality open source abandonware, reducing documentation traffic and revenue paths while adding to maintainers' burden from automated slop submissions.
The Register reports that Anthropic wants to eventually release Mythos-class vulnerability-finding models while saying safeguards are not ready; Anthropic says Mythos has scanned more than 1,000 open source projects and found thousands of high- or critical-severity candidates, creating patch and disclosure pressure.
The Cryptonomist reports that DeepSeek is pursuing its first external financing round while telling investors it plans to keep releasing open-source models and prioritize AGI research over near-term commercialization.
TechCrunch reports that NanoCo, maker of the security-focused OpenClaw alternative NanoClaw, raised a $12 million seed round after a viral launch and growing interest around its open source community.
InfoQ reports that a proposed node:vfs module for Node.js introduced about 19,000 lines across 100 files and triggered debate over AI-assisted core contributions, review burden, DCO implications, and whether Node.js should set new AI contribution policies.
CyberScoop reports that GitHub and bug bounty operators are tightening rules as AI tools sharply increase low-quality vulnerability submissions, including reports against open source projects and dependencies.
The Verge reports that Bambu Lab's private legal threat to the developer of an OrcaSlicer fork sparked community fundraising, mirrors, and broader pushback over Bambu's handling of AGPL-licensed 3D-printer software.
Joost de Valk argues that Europe's Open Source First procurement push needs matching investment in the maintainers and public-interest infrastructure that digital sovereignty policies depend on.
The Register reports that AWS, Percona, Supabase, pgEdge, Tiger Data, and others pledged funding for pgBackRest after the open source PostgreSQL backup project's sole maintainer warned its future was uncertain.
Aftermath explains how Bambu Lab's action against an OrcaSlicer fork escalated into a broader AGPL dispute over Bambu Studio, arguing that 3D printing's open source software base makes the licensing fight important beyond one vendor.
Ars Technica reports that Software Freedom Conservancy's GPL enforcement case against Vizio is headed to a California jury, with the nonprofit seeking complete source code for Vizio's Linux-based smart TV operating system so owners can modify the software running on their devices.
Armin Ronacher reflects on maintaining the open source Pi coding-agent project in a post-AI environment, describing how AI-generated issue reports and confident but wrong diagnoses create extra triage work for maintainers and agents alike.
ActiveState joined the Linux Foundation and OpenSSF, saying it will contribute three decades of build infrastructure and its catalog of open source components to efforts around software supply-chain security and built-from-source governance.
The Register connects recent Linux vulnerabilities and duplicated reports to AI-assisted bug hunting, quoting OpenSSF concerns that AI could further burden already overloaded open source maintainers.
Help Net Security reports on the surge of low-quality AI-assisted vulnerability reports hitting maintainers, including Linux kernel concerns and OpenSSF work on guidance for handling AI-generated disclosures.
The Register reports that Google is ending broad access to the open source Gemini CLI and steering most users toward the proprietary Antigravity CLI, while enterprise and paid API-key users retain Gemini CLI access.
SiliconANGLE reports that Socket raised a $60 million Series C at a $1 billion valuation to expand its developer-focused platform for blocking malicious open source packages, with the company tying demand to AI-assisted coding and growing dependency volume.
Microsoft outlined Open Source Summit announcements around Azure Linux and agentic systems, and described continued funding for OpenSSF Alpha-Omega and participation in GitHub's Secure Open Source Fund for critical project security work.
Software Freedom Conservancy says Bambu Lab has violated AGPLv3 obligations around Bambu Studio and related 3D-printer software, and announced the baltobu reverse-engineering effort plus hosting for an Orca Slicer fork.
Phoronix reports that FreeBSD 15.1-RC1 includes fixes from a new wave of AI/LLM-driven security research, showing that AI-discovered vulnerability reports are expanding beyond Linux.
FOSS Force reports that Google is steering open source Gemini CLI users toward the proprietary Antigravity CLI while enterprise customers keep Gemini CLI, raising bait-and-switch concerns around an AI developer tool.
It's FOSS reports that HP joined Lenovo and Dell in financially supporting the Linux Vendor Firmware Service, giving the fwupd/LVFS firmware-update infrastructure another major hardware-vendor sponsor.
Phoronix reports that Intel continues archiving open source projects that no longer align with its strategy, including an OBS Studio plugin and other software efforts, as part of a broader pullback.
DreamWorks Animation contributed its open source MoonRay production path-tracing renderer to the Academy Software Foundation as a hosted project for broader vendor-neutral governance and collaboration.
The New Stack covers OpenSSF leaders warning that companies depending on open source security work need to contribute money, engineering time, or other support instead of freeloading on maintainers.
It's FOSS reports that ONLYOFFICE Docs 9.4 simplifies Community Edition licensing, drops the prior 20-connection limit, and moves enterprise-only features into plugins while updating the open source office suite.
OpenSSF announced five new foundation members along with a cyber reasoning sandbox project, Python secure-coding guide v1.0.0, and its first ambassador cohort as part of continued foundation growth.
pgBackRest announced that a coalition of sponsors, including AWS, Supabase, pgEdge, Tiger Data, Percona, and Eon.io, will fund ongoing development so the open source PostgreSQL backup project is no longer dependent on a single sponsor.
Phoronix reports that Linux networking maintainers are still dealing with a flood of AI/LLM-driven bug reports and fixes, including security issues, prompting concerns that the disclosure workload may keep growing.
A GlobeNewswire release carried by Markets Insider says Open Invention Network has preserved the source code for OIN 2.0's Linux System in Software Heritage, strengthening patent-risk mitigation, provenance, and long-term access for the open source packages covered by OIN's cross-license.
A PRNewswire release carried by StockTitan says the Linux Foundation's Agentic AI Foundation added 43 new members, including GoDaddy as a Gold Member, to work on open standards for production-grade agentic AI.
NextNav joined the OCUDU Ecosystem Foundation, a Linux Foundation project, to advance open source 5G and 6G integrated sensing and positioning, navigation, and timing technologies.
Forrester recapped Eclipse Foundation's OCX conference, highlighting discussions of open source funding models, vendor-neutral governance, regulation, AI, and license questions around AI-generated code.
The Linux Foundation's Agentic AI Foundation announced 43 new members, including enterprise, government, and startup participants backing open standards and open source infrastructure for agentic AI systems.
ByteHaven follows up on Bitwarden's Premium price increase, arguing that leadership changes and product direction point to a broader shift in how the open source password manager is being monetized.
BleepingComputer reports that an autonomous scanning system found an 18-year-old flaw in the open source NGINX web server, illustrating how AI-assisted or automated discovery can surface long-lived vulnerabilities in widely used infrastructure.
Spiral introduced Loupe, an AI-powered vulnerability scanning effort for open source Bitcoin projects, framing it as a way to reduce the asymmetry between attackers and maintainers while pairing automated findings with human review.
VulnCheck argues that rising CVE disclosure volumes across major vendors and open source projects are early evidence of AI-assisted vulnerability discovery, with implications for maintainers, triage capacity, and disclosure quality.
Software Freedom Conservancy explains a growing pattern of copyleft violations where vendors provide incomplete Corresponding Source, arguing that incomplete source has become a common and often intentional compliance failure.
Simon Willison highlights the UK Government Digital Service's response to the NHS closing public repositories after vulnerability reports, with GDS recommending that public-sector code remain open by default despite AI-assisted vulnerability discovery concerns.
LWN notes that Linux 7.1-rc4 documentation updates address the flood of AI-generated security reports that have made the kernel security list difficult to manage, with duplicated reports and guidance that AI-detected bugs are generally not secret vulnerabilities.
Phoronix reports that longtime Mesa and AMD Linux GPU driver developer Marek Olšák has left AMD for Valve, another sign of Valve investing in open source Linux graphics driver work for gaming.
Tech Times reports that Floci, a free MIT-licensed AWS emulator, gained traction as an open source alternative amid complaints about LocalStack features moving behind a $39-per-month paid plan.
Personal Digital Spaces introduced OpenRSL, an open standard intended to let publishers and website owners declare machine-readable licensing, payment, attribution, and access terms for AI crawlers and other automated agents.
Slashdot summarizes reporting that Bitwarden changed leadership and removed 'Always free' from parts of its website, prompting questions about the open source password manager company's future positioning.
FOSS Force covers a surge of AI-assisted Linux kernel vulnerability reports and the resulting maintainer concerns around validation workload, disclosure quality, and security triage.
Phoronix reports that Linux 7.1 added documentation clarifying security-bug handling and expectations for responsible AI use when finding and reporting kernel bugs.
Zulip announced the Zulip Foundation, a new nonprofit home for the open source team chat project intended to support long-term governance, fundraising, and community stewardship.
The New Stack reports on Block donating Goose, its open source AI coding agent, to the Linux Foundation and the OpenJS Foundation's Cross Project Council as a governance move for broader ecosystem adoption.
SecurityWeek reports that OpenAI rotated code-signing certificates after repositories containing them were compromised in a TanStack supply-chain attack, highlighting the exposure of AI vendors and developer tools to open source package ecosystem compromises.
A GlobeNewswire release carried by Yahoo Finance says Acquia launched a Fair Trade Initiative that directs 2% of each eligible partner co-sell transaction to the Drupal Association, embedding Drupal sustainability funding into partner revenue flow.
A bipartisan group of U.S. lawmakers asked the Office of the National Cyber Director to coordinate federal and industry planning for high volumes of AI-discovered software vulnerability disclosures, including support for validating, triaging, and patching flaws in the software ecosystem.
GamersNexus rehosted the OrcaSlicer-BambuLab fork with the developer's permission after Bambu Lab sent a cease-and-desist, escalating the AGPL-related dispute over Bambu's slicer software and cloud connectivity.
A Business Wire release carried by TMCnet says NextNav joined the Linux Foundation-hosted OCUDU Ecosystem Foundation to contribute positioning, navigation, and timing capabilities to open source 5G and AI-native 6G Open RAN infrastructure.
The Hacker News reports that OpenAI launched Daybreak, a controlled-access AI cybersecurity initiative, while noting that AI-assisted vulnerability discovery is accelerating report volume and triage fatigue for open source maintainers.
Techopedia reports that RPCS3 updated contributor rules after maintainers saw a rise in low-quality AI-generated pull requests, warning that undisclosed AI-generated submissions may lead to bans from contributing to the open source emulator.