← Blog

Fragility of Software

May 19, 2026

The last few weeks has shown us how fragile the modern software stack is.

It seems to me we are being targeted from both ends, we have major vulnerability disclosures (NGINX) while at the same time we have compromised releases (shai-hulud) in some of the most used software stacks. You can’t be comfortable staying at older potentially vulnerable versions and at the same time you can’t run the latest version in fear of it being compromised at some point.

AI speeds things up

It’s obviously gotten much much worse with AI. To name a few reasons:

  • avg. code entering systems developers depend on is sloppier
  • bar to create an exploit from a vulnerability is significantly lowered
  • the time to find vulnerabilities is getting shorter with AI

But wait.. If it’s easier to find bugs they should be fixed faster too. Yes, but once fixed there is some amount of time before the fix finds it’s way into a majority of its consumer projects. The osmosis of a vulnerability fix to a majority of its users can take days, even weeks. While the time for an attacker to produce an exploit is now minutes from the disclosed vulnerability.

So the solution is to always use the latest version? No! You would be safe from the latest found exploits, but now you have to worry about run into shai-hulud style compromises where someone gets access to publishing new versions of a package you depend on and release infected versions.

What we are left with:

  • The time for an attacker to produce an exploit once they see a disclosed vulnerability trend to 0.
  • The amount of disclosures trending up
  • concentration in popular dependencies is probably going up (AI prefers to use frameworks) which create honey pots.

What we have seen so far is just the start.

Fragility

But the the fact is that the modern software stack has always been fragile. And it has been made more fragile for a long time by us, developers, outsourcing an ever growing procentage of our code base to dependencies.

I think some developers actually forgot that if you use dependencies you actually depend on them. Dependencies always make you more fragile, in life and in code.

If your country is dependent on oil for energy, large changes to the oil prices is always bad news. And to make your country more robust the solution is always to minimise your dependency on things that are out of your control. Like diversifying your energy sources.

There is no easy way out of this, but I think the path forward is pretty clear, we should try to limit the dependence on other peoples code.

EDIT

This happened the next day: 11 minutes was all it took to hack github - around 4k internal repositories to the github organization was compromised.