For a small fee (reportedly under $50), malus.sh takes any open-source GitHub repo and:

• Step 1: AI reads the code and writes a functional specification (what it does, not how)
• Step 2: A SEPARATE AI instance codes it from scratch using only that spec
• Step 3: You get “legally distinct” code with NO GPL obligations, NO attribution required

The name MALUS is Latin for “bad” or “harmful” — because Ayrey and Nolan built this as a warning shot, not a product launch. Their FOSDEM 2026 talk was titled “Let’s End Open Source Together With This One Simple Trick.”

But satire or not — it works. And the legal loophole is real.

The paradox: Malus.sh claims to generate “proprietary” code — but courts say AI output has no copyright. So you can’t copyright it, but you also can’t be sued for copying the original. Legal no-man’s-land.

Heather Meeker (open-source licensing attorney): “Is copyleft dead?” (title of her blog post analyzing malus.sh)

Jonathan Corbet (LWN.net): “This is the great license-washing that everyone warned about.”

The Register: “Chardet dispute shows how AI will kill software licensing.”

The Chardet incident: A developer used AI to rewrite a GPL-licensed library, claimed it was “new code,” and relicensed it under MIT. The original maintainer objected. The AI-generated version stayed up. GPL couldn’t enforce.

What’s NOT being said: No major legal challenge yet. Everyone’s watching. Nobody wants to be the test case.

Here’s the nuclear issue: most AI models were trained on GitHub.

That means:
• GPT-4, Claude, Gemini, etc. literally read GPL code during training
• When they “generate new code,” are they actually recalling patterns from GPL repos?
• If yes, is this really “clean room” — or just automated plagiarism with extra steps?

Courts haven’t ruled on this. Legal scholars are split. Meanwhile, malus.sh exists and works.

From the Thomson Reuters v. ROSS Intelligence case (AI legal research tool): The court said training on copyrighted material to build a competing product is NOT fair use. But that was legal briefs, not code. And the case settled before appeal.

Nobody knows how this applies to code generation. Yet.

Instead of fighting this, USE it. Find a profitable open-source tool, use AI to rebuild the core functionality, wrap it in a better UX, charge for hosting/support.

Example: Liam (designer, Cape Town) found a GPL-licensed PDF toolkit on GitHub. Used Claude + Cursor to rebuild the PDF merging/splitting functions in a weekend. Wrapped it in a slick UI. Charges $9/month for unlimited use. Hit $2,400 MRR in 4 months by targeting non-technical users who don’t want to install Python libraries.

Timeline: Weekend rebuild, 2 weeks for UI polish, 1 week for Stripe integration, 3-4 months to $2K+ MRR via Reddit/Twitter marketing.

Controversial? Yes. Legal? Probably. Companies HATE GPL obligations. They’ll pay to convert GPL tools into MIT/Apache-licensed alternatives.

Example: Priya (dev, Bangalore) saw companies struggling with GPL’d analytics libraries. Built a service: you send her a GitHub repo, she uses AI + manual review to generate a functionally identical but legally distinct version under MIT license. Charges $500-$2,000 per project depending on complexity. Did 8 projects in Q1 2026 = ~$9K.

Timeline: 1-2 weeks to build the workflow (AI + legal checklist), 1-3 days per client project, charge 50% upfront.

Automate what malus.sh does but niche it down. Target specific ecosystems: Python → Go, GPL → MIT, legacy Java → modern Kotlin, etc.

Example: Marcus (engineer, Berlin) built a tool that converts GPL Python libraries to MIT-licensed TypeScript equivalents. Targets JavaScript devs who want Python functionality but can’t use GPL in commercial projects. Charges $29/month for 10 conversions. Got 140 users ($4,060 MRR) in 5 months via dev Twitter and Indie Hackers.

Timeline: 3 weeks to build MVP using Claude API, 1 week for landing page, 4-5 months to $4K MRR with content marketing.

Flip the script: help open-source maintainers DETECT when their code has been AI-cloned. Build tooling that fingerprints functionality, not just syntax.

Example: Aisha (security researcher, Nairobi) created a service that scans proprietary repos for “suspiciously similar” function logic to open-source projects. Uses embeddings + ML to catch semantic copying that text diff misses. Charges maintainers $200-$500 per audit, enterprises $2K-$5K to scan their own codebases for license compliance risks. Did 23 audits in Q4 2025 = ~$18K.

Timeline: 1 month to build detection tool, 2 weeks to productize as a service, ongoing client acquisition via open-source conferences and Twitter.