Three of the most discussed incidents in open-source history, and the common thread isn't malice or incompetence, it's bus factor.
Left-pad (2016): An 11-line npm package, unpublished over a naming dispute, broke builds for thousands of projects including React and Babel. The package had become a deeply buried transitive dependency that almost nobody realized they depended on until it disappeared.
Heartbleed (2014): A catastrophic OpenSSL vulnerability went undetected for years, critical internet infrastructure maintained by a thin volunteer base with limited resources for the kind of rigorous review that would have caught it sooner.
XZ Utils (2024): An attacker spent roughly two years building trust with the sole maintainer of a critical compression library, eventually attempting to insert a supply-chain backdoor. The attack surface wasn't a technical vulnerability, it was a bus factor of effectively one overworked maintainer.
The pattern across all three: critical infrastructure with a low bus factor is invisible right up until the moment it fails, and the blast radius is proportional to how deeply embedded that infrastructure became while nobody was paying attention to its fragility.
This isn't just an open-source supply chain problem. It's the exact dynamic that plays out inside early-stage startups when a single developer becomes the only person who understands the system. The scale is smaller, but the mechanism is identical.
Full breakdown with the complete case studies and the data behind bus factor risk: → https://foundersbar.com/articles-and-research/bus-factor-explained-silent-startup-killer (foundersbar.com)
What's the lowest-bus-factor dependency you've found buried in a project?
Top comments (0)