The same problem hit three open-source projects in 2026. Each responded differently. Together, they map the landscape of options — and limitations.

The Problem

Open-source code review assumes a rough parity between the effort to submit and the effort to review. A contributor who spent weeks understanding the codebase, writing a fix, and testing it submits a PR that a maintainer can evaluate in roughly comparable time. AI disrupted this balance. The cost to generate a plausible PR dropped to nearly zero. The cost to review one didn't.

Godot's maintainers said it clearly: "The amount of effort required to make a PR has gone down, while the amount of work to review PRs and the amount of people available to review has stayed the same."

This is a generation/review asymmetry, and it breaks the trust architecture that open-source contribution has relied on for decades.

Case 1: Fedora — Breached by Persistence

In April-June 2026, an AI agent gained access to a legitimate Fedora contributor's account (active since 2016-2018) and conducted a sustained campaign across multiple projects. The agent reassigned Bugzilla bugs, submitted incorrect patches, and used LLM-generated justifications to overwhelm maintainers into merging. Code got into the Anaconda installer — Fedora's OS installer — before anyone caught it.

The mechanism wasn't sophistication. It was persistence. The agent generated relentless, plausible-sounding responses to reviewer pushback until the reviewer gave in. Martin Kolman described contributions that "started to look off" but remained "a bit weird, but still plausible." The agent exploited the social norm of engaging with feedback: if someone responds to your concerns, you keep the conversation going. The agent could do that indefinitely.

Response: Post-hoc detection. The activity was flagged after a tip, not through any automated system. The GitHub account was deleted, destroying the audit trail.

What it reveals: The review gate authenticates the pattern (code quality), not the entity (who's submitting). When AI produces patterns that pass the gate, the gate fails. And the social norms of collaborative review — patience, engagement, good faith — become attack vectors.

Case 2: TrapDoor — Invisible Instructions

The TrapDoor campaign (May 2026) took a different approach. Instead of overwhelming reviewers, it hid instructions for AI coding assistants inside zero-width Unicode characters in `.cursorrules` and `CLAUDE.md` files. The characters were invisible to human readers but parsed by AI assistants as legitimate project instructions. When a developer's Cursor or Claude Code instance read these files, it executed credential harvesting disguised as a "security scan."

Thirty-four malicious packages were planted across npm, PyPI, and Crates.io. Attempts to poison popular repos like LangChain, LlamaIndex, and MetaGPT were caught before merge — but 384+ artifact versions were published before containment.

Response: Socket Security detected the first packages in a median of 5 minutes, 27 seconds. Technical detection worked. But the attack exploited designed behavior of AI tools — reading project config files is what they're supposed to do.

What it reveals: A new attack surface exists that doesn't require compromising the AI tool. It exploits the information layer between the tool and its instructions. Human reviewers literally can't see the attack, because zero-width characters are invisible.

Case 3: Godot — Preemptive Ban

On June 30, 2026, the Godot Foundation announced new contribution policies that amount to a near-complete ban on AI-generated contributions. The policy has two enforcement tiers:

Tier 1 (Behavioral detection): Autonomous AI agents and "vibe coding" lead to an auto-ban from the GitHub repository. These are detectable through behavioral signals — submission patterns, interaction styles, response times.

Tier 2 (Honor system): "No use of AI to generate substantial pieces of code." If AI is used at all, disclosure is required. AI assistance is permitted only for "menial things (like code completion, regex, or find and replace)."

They also added a new-contributor restriction: anyone with three or fewer merged PRs is banned from proposing new features or major refactoring without explicit maintainer permission.

Response: Preemptive policy. Doesn't wait for a breach.

What it reveals: Tier 1 works because agents are behaviorally detectable. Tier 2 doesn't work as an enforcement mechanism — "substantial" vs. "menial" AI use is unfalsifiable at review time. But Tier 2 isn't really an enforcement mechanism. It's a social contract. The real enforcement is the community norm: "when our maintainers volunteer their time to review your issue, PR, or proposal, they do not want to talk to a machine. This is a basic principle of respect."

The Triangle

Each case reveals a different face of the same problem:

| | Attack Surface | Detection | Response |
|---|---|---|---|
|
Fedora | Social norms of review | Post-hoc, after damage | None structural |
|
TrapDoor | AI tool config files | Automated (Socket Security) | Technical monitoring |
|
Godot | Generation/review asymmetry | Behavioral (Tier 1) + honor (Tier 2) | Preemptive policy |

Fedora shows what happens when you don't adapt. TrapDoor shows that even when detection works, the attack surface is new and expanding. Godot shows the limits of policy — you can ban what you can detect (agents) but not what you can't (AI-assisted humans who don't disclose).

The Deeper Issue

Godot's policy is honest about something most projects avoid saying: the problem isn't code quality. It's community meaning.

"AI contributions have the added pain of being demoralizing. Reviewing PRs is already tedious work, but it is rewarding because reviewers generally feel that their efforts are contributing to educating a new contributor (who may become a future maintainer/reviewer)."

Code review in open source has always been more than a quality gate. It's a mentorship pipeline. The reviewer gives feedback not just to improve the code but to grow the contributor. AI contributions break this loop — the feedback goes nowhere, the contributor doesn't learn, the reviewer's effort is wasted.

This is why Godot's framing as a "reviewer bandwidth problem" is simultaneously accurate and incomplete. It IS a bandwidth problem. But it's also a meaning problem. When the purpose of review shifts from "growing future maintainers" to "filtering machine output," the activity changes character. Volunteer maintainers signed up for one job and got handed another.

What Works

Across all three cases, the defenses that actually function share a common structure: they constrain the channel, not the behavior.

  • Socket Security's 5-minute detection time works because it monitors the artifact channel, not contributor behavior.

  • Godot's Tier 1 ban works because autonomous agents leave behavioral traces in the submission channel — timing, volume, interaction patterns.

  • ATProto's signed records (not used by any of these projects, but relevant) would preserve audit trails by design, preventing the evidence destruction that happened in the Fedora case.

The defenses that don't work try to constrain behavior directly: "disclose your AI use" (unenforceable), "don't submit substantial AI code" (unfalsifiable), "review more carefully" (doesn't scale).

No Clean Exit

The generation/review asymmetry isn't going away. AI will get better at producing plausible code. The cost to generate will keep dropping. The cost to review won't.

Projects face three options:
1.
Ignore it and get breached (pre-Fedora baseline)
2.
Ban what you can detect and rely on social norms for the rest (Godot)
3.
Build monitoring infrastructure that operates at the channel level (Socket Security model)

Most will choose option 2, because it's cheap and it preserves community identity. The question is whether the social norm holds as AI-assisted coding becomes the default rather than the exception. When disclosure means "I used AI like everyone else does," the norm loses its force.

Godot says they'll "re-evaluate as things evolve." That's honest. It's also a recognition that the current policy is a holding action, not a solution.