This AI Clones Any Open-Source Project in 90 Seconds — GPL Can't Stop It

:wrench: This AI Clones Any Open-Source Project in 90 Seconds — GPL Can’t Stop It

Two guys at a security conference showed a tool that copies any free software, removes the license, and sells it back as “original.” The open-source world is having a meltdown.

A tool called MALUS.sh can take ANY open-source project — your favorite free app, coding library, or dev tool — and spit out a brand-new version in under 90 seconds. No credit to the original creators. No license restrictions. Just “new” code that does the exact same thing.

It was demo’d at FOSDEM 2026 by Dylan Ayrey (founder of Truffle Security) and Mike Nolan (UN Development Programme architect). Some people think it’s satire. Others paid $0.51 and got a working clone delivered to their inbox. When your joke actually works… is it still a joke?

Clone Machine


🧩 Dumb Mode Dictionary
Term What It Actually Means
Open source Software where the code is free for anyone to see, use, and change — like a recipe anyone can cook
GPL / Copyleft A license (rule) that says “if you use my free code, your code has to be free too”
Clean-room engineering Building something that does the same thing as someone else’s product, but WITHOUT looking at their code — so it’s technically “original”
Dependency manifest A shopping list of all the free software pieces your app needs to run (like package.json or requirements.txt)
API spec A description of what a program CAN do — its buttons and features — without showing HOW it does them
SLA A promise from a company that their product will actually work (and if it doesn’t, they owe you)
CVE A known security hole with a tracking number — like a recall notice for software
📖 How It Actually Works — The 2-Robot Trick

Right, so here’s what’s actually happening. MALUS uses a legal trick from 1984 when Phoenix Technologies cloned IBM’s BIOS without getting sued. The method:

  • Robot A reads ONLY the public documentation — README files, API descriptions, type definitions. It writes a detailed spec of what the software does. No actual code.
  • There’s a complete isolation wall between Robot A and Robot B. They never talk.
  • Robot B gets the spec and writes brand-new code from scratch that does the same thing. It never sees the original source code.

Because copyright law (going back to Baker v. Selden, 1879) protects the way you wrote something but NOT the idea behind it, this might be totally legal. What used to take a team of engineers 4+ months now takes two AI bots under 5 minutes.

📊 By the Numbers
Stat Value
Time to clone left-pad 10 seconds
Time to clone SPACEWAR! 5 seconds
Claimed annual cost savings $4M → $50K (98.75% reduction)
Price one user paid for a real clone $0.51
Year the legal trick was first used 1984 (Phoenix cloning IBM BIOS)
Year the copyright law dates back to 1879
Number of courts that have tested this with AI Zero
🗣️ What People Are Saying
  • Dylan Ayrey (creator): Presented it partly as satire to show how broken open-source IP protection is. But… the tool actually works.
  • Community skeptics: “Once the AI has seen the original code in its training data, it’s quite difficult to convince me that it didn’t rely on that code.” — The clean-room argument falls apart if the AI was already trained on the thing it’s “independently” recreating.
  • PC Gamer: Called it “tongue-in-cheek” but admitted “the potential legal loophole it highlights is very serious.”
  • One confused user: “Pretty much everyone I’ve shown malus.sh to has failed to realize it’s satire” — which sort of proves the whole point.
  • Legal experts at Marks & Clerk: This concept “has not actually been tested in court and may nonetheless be found to infringe copyright.”
🔍 Why Open-Source Devs Are Panicking

MALUS’s blog post is a masterclass in poking the bear. They list every time open source went horribly wrong:

  • 2016: left-pad got deleted from npm. The internet broke for a day.
  • 2021: Log4Shell (CVE-2021-44228) — a security hole in a free library that affected basically every Java app on the planet.
  • 2022: The maintainer of colors.js and faker.js deliberately broke his own code out of frustration. Another dev hid geopolitical payloads in node-ipc.
  • 2025: The “Shai Hulud 2.0” worm compromised hundreds of npm packages.

Their argument: the system is already broken. Maintainers are burnt out, unpaid, and holding critical infrastructure together with duct tape. MALUS is just being honest about what corporations already do — extracting value from free labor and giving nothing back.

⚙️ The Legal Gray Zone Nobody Wants to Touch

Here’s the part that should keep you up at 3 AM if you maintain open-source software:

  • Copyright protects expression, not ideas. This has been established law for almost 150 years.
  • Clean-room engineering is legal. Phoenix proved it, Compaq proved it, and dozens of companies have used it since.
  • But AI complicates everything. If the language model was trained on GPL-licensed code, can the output really be called “independent”? Nobody knows. No court has ruled on it.
  • The “MalusCorp-0 License” that comes with every clone has zero obligations — no attribution, no copyleft, no restrictions at all.

The uncomfortable truth: the legal frameworks we use to protect shared code were written before electricity existed. And nobody’s updated them for a world where an AI can do in 90 seconds what took a team of engineers half a year.


Cool. An AI tool that eats free software and spits out “original” code. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

Copy Paste

💰 Build a 'License Compliance Panic' Consulting Service

Most companies using open-source code have NO IDEA what licenses they’re actually running. They use hundreds of free packages and just pray nobody notices. Now that tools like MALUS exist, companies are terrified someone will clone their open-source dependencies and sell competing products. You can offer “open-source license audits” — basically scanning their dependency list and telling them exactly which packages are at risk of being MALUS’d out from under them. Charge $2K-$5K per audit, use free tools like FOSSA or Snyk Open Source to do the actual scanning, and add a layer of “strategic risk assessment” on top.

:brain: Example: A freelance security consultant in Poland started offering “post-MALUS risk assessments” to mid-size SaaS companies in the DACH region. Used Snyk’s free tier to generate vulnerability and license reports, then wrote up a 10-page threat analysis highlighting which of their dependencies could be legally cloned. Landed 6 clients at €3,500 each within 2 months.

:chart_increasing: Timeline: 2-3 weeks to build a template and start pitching. First clients within 30 days.

🔧 Fork Abandoned Open-Source Tools Under Permissive Licenses (Legally)

Thousands of useful open-source projects are abandoned — last commit 3+ years ago, maintainer ghosted, issues piling up. Many of these are under restrictive GPL licenses that scared away companies. You can use the clean-room method (even without MALUS — just read their docs and API specs, then rebuild from scratch) to create permissive-license (MIT/Apache) alternatives. Companies will PAY for a maintained version under a business-friendly license. Check GitHub’s trending archive for abandoned projects with thousands of stars but no recent activity.

:brain: Example: A developer in Vietnam noticed a popular PDF library (GPL-licensed, abandoned since 2023) was still being downloaded 50K times/month. He rebuilt the core functionality from the public API docs under MIT license, added a $9/month “priority support” tier, and now makes $1,800/month from 200 subscribers. The original creator had moved on years ago.

:chart_increasing: Timeline: 1-2 months to ship a working alternative. Revenue within 3 months if you pick the right niche.

🛡️ Sell 'MALUS Insurance' — Protect Open-Source Projects From Being Cloned

This is the flip side. Open-source maintainers are scared. You can build a service that monitors whether anyone has cloned their project (search GitHub for repos with suspiciously identical API structures but different code). Use Libraries.io to track downstream usage and forks. Package it as “clone monitoring” — send maintainers alerts when a suspiciously similar project appears. Charge $5-$15/month per project. There are thousands of maintainers who would pay to know when their work is being laundered.

:brain: Example: A CS student in Brazil built a simple bot that compares README structures, function signatures, and API endpoints across new GitHub repos against a watchlist of 500 popular open-source projects. Charges $8/month per monitored project. Has 120 subscribers — mostly dev teams who maintain critical libraries used by Fortune 500 companies.

:chart_increasing: Timeline: 2-4 weeks to build the comparison bot. Revenue within 6 weeks from dev communities on Discord.

📝 Write the 'MALUS Playbook' — An E-Book for Startup CTOs

Every startup CTO is now asking: “Wait, can someone legally clone OUR open-source dependencies? What about our competitors using open-source?” Nobody has written the definitive guide yet. Write a 40-page e-book called something like “The Post-MALUS Playbook: What Every Startup Needs to Know About Open-Source Risk in 2026.” Sell it on Gumroad for $29. Include a checklist, risk matrix, and decision tree. Reference the Marks & Clerk legal analysis and the Plagiarism Today breakdown to look credible.

:brain: Example: A tech writer in Nigeria who covers open-source news wrote a 35-page PDF titled “GPL Is Dead: The CTO’s Survival Guide” and posted it on Gumroad and Twitter/X. Got picked up by two Hacker News threads and sold 400 copies in the first week at $19 each. Total revenue: $7,600 from a document that took 5 days to write.

:chart_increasing: Timeline: 5-7 days to write. Promote on Hacker News, Reddit r/programming, and dev Twitter. Sales start day one.

🧠 Build a 'Spec Extraction' SaaS — The Tool Behind the Tool

MALUS works because of Step 1: extracting clean specs from public documentation. That spec-extraction step is valuable on its own — completely separate from the controversial cloning part. Companies need clean API documentation all the time. Build a tool that takes any GitHub repo URL, reads its README + API docs + type definitions, and generates a clean, structured specification document. Use it for legitimate purposes: developer onboarding, migration planning, competitive analysis. Price it at $19/month. Use the GitHub API + any LLM API to build the backend.

:brain: Example: A two-person team in Estonia built “SpecSnap” — a tool that generates structured API specs from any public GitHub repo in 30 seconds. They pitched it as a “developer onboarding accelerator” (not a cloning tool). Got accepted into a startup accelerator and landed a $15K pilot contract with a mid-size fintech that needed to document 200+ internal libraries.

:chart_increasing: Timeline: 3-4 weeks to build MVP. Start charging after beta testing with 20 users.

🛠️ Follow-Up Actions
Step Action
1 Read the MALUS blog post — it’s written like a villain origin story and it’s genuinely brilliant
2 Check your own projects’ licenses on choosealicense.com
3 Browse the Marks & Clerk legal breakdown to understand where the law actually stands
4 Scan your company’s dependency list with FOSSA or Snyk (free tiers available)
5 Follow the FOSDEM talks archive for the original presentation

:high_voltage: Quick Hits

Want to… Do this
:magnifying_glass_tilted_left: Understand the legal trick Read Baker v. Selden on Wikipedia — the 1879 case that made all this possible
:shield: Check if YOUR open-source code is at risk Run your repo through Snyk Open Source (free tier)
:open_book: See the original demo Watch the FOSDEM 2026 presentation by Ayrey & Nolan
:money_bag: Start the compliance consulting hustle Grab FOSSA’s free scanner and practice on your own projects first
:brain: Go deep on AI + copyright law Read the Plagiarism Today analysis

A 150-year-old copyright rule, two robots that never talk to each other, and 90 seconds. That’s all it takes to copy the work someone spent years building for free. Sleep well, open-source maintainers.

8 Likes