Okay so. You know how every couple months some startup does something so cartoonishly evil that you assume it’s a joke? Yeah.

Malus.sh appeared on Hacker News looking like a perfectly legit SaaS product. Upload your package.json. Their “proprietary AI robots” — operating in “international waters” apparently — recreate every dependency from scratch. Out comes code under the MalusCorp-0 License. Zero attribution. Zero copyleft. Zero giving credit to the people who wrote the thing you’re shipping.

The company name literally means “evil” in Latin. The testimonial is from “Chad Stockholder, Profit First LLC.” The audit logs “definitely exist and are available upon request to courts in select jurisdictions.”

It’s satire. Obviously. Except…

Here’s the uncomfortable part. Multiple HN commenters read the whole site and went “wait, is this real?” One person literally wrote:

“The fact that it took me the comments section to understand this is satire speaks a lot about the current status of where things are going.”

And they’re right? Because:

• LLMs trained on open source code already generate “functionally equivalent” implementations daily
• GitHub Copilot has been doing a version of this since 2021
• Companies ARE using AI to avoid dependency on copyleft libraries
• The economic incentive is massive — why maintain 200 OSS dependencies when you can just… regenerate them?

The satire works because it describes a thing that is literally already happening. Just without the honest branding.

The HN thread is a goldmine of existential dread disguised as tech commentary:

• “It wouldn’t be funny if it wasn’t close to the truth” — the most upvoted take
• Multiple devs pointed to the chardet library controversy where maintainers were pressured by corporations as proof this energy already exists
• Some argued clean room reimplementation via AI is technically legal under current copyright law — the same way Google’s clean room Java implementation survived the Oracle lawsuit
• Others flagged that if this DID become a real service, the AGPL would be the first casualty — the one license specifically designed to prevent this exact scenario

The vibe is: “haha this is so funny” followed immediately by “wait no this is terrifying”

Strip away the satire and here’s what’s left:

• AI code generation is already a de facto clean room. The model “never saw” your specific code. It just saw… all code. On earth. Including yours.
• License compliance is about to get way harder. If AI can generate code that’s functionally identical but technically “original,” what does copyright even mean?
• Open source maintainers are already burned out. Now add “your work can be AI-laundered in seconds” to the pile.
• Corporate legal teams are watching. If someone CAN build this for real (and they can), someone WILL.

The Malus creator basically said the quiet part loud. With a Stripe button.

Most companies have NO idea what licenses live in their dependency tree. Build a CLI or SaaS tool that scans package.json / requirements.txt / Cargo.toml and flags AGPL, GPL, and copyleft risks before they ship. Pair it with AI to auto-suggest compliant alternatives.

Example: A solo dev in Tallinn, Estonia built an open-source license scanner called DepAudit after seeing his employer accidentally ship AGPL code. Posted it on r/SideProject, got 2,000 GitHub stars in a week, then sold a “Pro tier” with Slack alerts for $3,200/mo within 6 months.

Timeline: 2-4 weeks for MVP, monetize via SaaS tier for teams

There’s going to be a market for PROVING that code was human-written and properly attributed. Build an API that takes a code snippet, cross-references it against known OSS repos, and returns a confidence score for originality vs. AI-laundered output.

Example: A two-person team in Pune, India built a plagiarism-detection API for academic code after their professor couldn’t tell student submissions from Copilot output. Pivoted to commercial use when a compliance firm reached out. Now processing 40,000 API calls/day at $0.002/call.

Timeline: 3-6 weeks to prototype, target legal/compliance teams

Companies love badges. “SOC-2 Compliant.” “Carbon Neutral.” Build a verification system that certifies a project uses ONLY properly licensed dependencies with full attribution. Charge companies for the audit, give them a badge for their README and marketing.

Example: A freelance compliance consultant in Berlin, Germany started manually auditing npm dependency trees for fintech startups after one client got flagged in a due diligence review. Automated it with a script, branded it CleanStack Certified, and now charges €800/audit with 15 recurring clients.

Timeline: 1-2 weeks for badge + basic audit script, grow through LinkedIn outreach to CTOs

If AI can strip attribution, maintainers need new weapons. Build a tool that embeds cryptographic watermarks or stylometric fingerprints into open source code — something that survives AI reimplementation and can prove derivation in court.

Example: A security researcher in São Paulo, Brazil built a proof-of-concept code watermarking tool for her thesis, posted it on GitHub, and got featured on Hacker News. A legal tech firm licensed the approach for $25,000 upfront + royalties to integrate into their IP protection suite.

Timeline: 4-8 weeks for working prototype, target IP law firms and OSS foundations