GitHub Is Becoming a Giant AI Code Dump

GitHub has 630 million repos. Nearly half of all new code is written by AI.

Sounds like a productivity explosion, right?

But there's another number in that same report: developer trust in AI code dropped from 77% to 60%. More people are using it. Fewer people believe in it.

And it gets worse.

Half the projects you see are fake

Carnegie Mellon University found 6 million fake stars on GitHub. Security firm Socket uncovered 370,000 "fix stars" directly tied to scams. That vibe coding project with thousands of stars? Probably half are fabricated.

That's not even the scary part.

CodeRabbit scanned 470 PRs. AI-written code had 1.7x more critical issues than human-written code. 45% of AI code ships with OWASP Top 10 vulnerabilities. 63% of developers say fixing AI code takes longer than writing it from scratch.

But here's the most mind-bending finding.

You're getting slower, but you have no idea

Meter ran a randomized controlled trial. The result: AI users were actually 19% slower, but they thought they were 20% faster.

When they showed the participants the data, they still insisted they were faster.

That's the real horror. You're getting slower, and you have no idea.

Open source is drowning in garbage PRs

Look at what major projects are doing:

• curl — shut down its 7-year bug bounty program. AI-generated bug reports: only 5% were real. The rest was noise.
• Ghost — outright banned AI-submitted code.
• Tailscale — went further: closed all external PRs. AI or not, doesn't matter anymore.
• GitHub itself — building a "PR kill switch" so maintainers can one-click disable external submissions.

Open source isn't being destroyed by hackers. It's being drowned to death by garbage AI-generated PRs from vibe coders.

Garbage in, garbage out

Here's the most ironic part of the whole chain:

You ask AI to write code → AI searches GitHub for references → It finds code written by other AIs → Garbage in, garbage out. What do you think comes out?

GitHub used to be a code repository. It's turning into a giant AI code dump.

The problem isn't AI. It's governance.

AI writing code isn't the problem. The problem is: nobody is auditing what AI does.

The core premise of vibe coding is "accept everything AI generates — don't review, don't modify." That works for a TODO app. For production code, it's planting time bombs.

But asking humans to line-by-line review AI code isn't realistic either. If 63% of devs say fixing is slower than writing, reviewing is even slower.

The real solution isn't "stop using AI" or "review everything manually." It's automated governance between AI code and production:

• Every tool call is audited — every file change, every API call, cryptographically signed and recorded.
• Dangerous actions are blocked — delete database? modify production? First pass through a 4-level decision tree. 97% auto-resolved, 3% escalated to human review.
• Security policies evolve — every false positive, every bypass attempt feeds back into the governance engine.
• Formal verification — not "we hope this is safe." Mathematically provable convergence toward safety.

Governance isn't a speed bump. It's what lets you go fast safely.

Un-governed AI code doesn't go faster. It just crashes faster.

The projects banning AI submissions — curl, Ghost, Tailscale — aren't anti-AI. They're saying the same thing: "We welcome AI assistance. We won't accept garbage without quality control."

MAREF is that quality control layer. Not between you and AI. Between garbage code and your production environment.

You can still vibe code. You can still have AI write your code. But before it deletes your database, someone will stop it.

You're getting slower? No. You're finally seeing what you're actually shipping.

📊 Sources: GitHub Octoverse Report, Carnegie Mellon fake star study, Socket security report, CodeRabbit 470 PR analysis, Meter RCT trial, curl/BT/Ghost/Tailscale official announcements. MAREF is an open-source agent governance operating system. Get started in 5 minutes.