Malus.sh Should Be Against the Law

There's a service called Malus.sh that markets itself as "Clean Room as a Service" — using AI to recreate open source software and deliver "functionally equivalent code" under proprietary licensing with zero attribution requirements. Their tagline? "Liberation from open source license obligations."

This should be illegal.

What Malus Does

alt text Alberta Tech's video "This company killed open source"

Malus claims to use a "clean room" process: one AI team studies public documentation and APIs, another team independently implements the software "from scratch." The result is code delivered under their "MalusCorp-0 License" with "zero attribution, zero copyleft, zero obligations."

They even offer "full legal indemnification through our offshore subsidiary."

The site has a satirical tone, but as Futurism reported, it operates as a real commercial service with paying customers. The satire doesn't make the service less real — it just makes the creators more honest about the cynicism.

The Legal Loophole

Malus exploits a legal concept dating back to the 1879 Baker v. Selden case, which distinguishes between expression (protected by copyright) and ideas/functionality (not protected). Clean room reverse engineering has been used legitimately since the 1980s when Phoenix Technologies recreated IBM's BIOS.

But AI changes the economics entirely. As developer Dan Blanchard put it: "A rewrite that would've taken months or years can be done in days with AI."

This turns what was once an expensive, labor-intensive process into an on-demand service. The legal theory may be old, but the scale and accessibility are unprecedented.

Why This Matters

Open source maintainers pour thousands of hours into their projects. They choose licenses — GPL, MIT, Apache — with specific intentions about how their work should be used and credited. These aren't arbitrary legal formalities; they're the social contract that makes open source function.

Services like Malus don't just circumvent licenses. They undermine the entire premise that contributing to open source means anything. Why would anyone maintain a library knowing a corporation can AI-launder it into proprietary code the moment it becomes valuable?

The r/linux community discussed this with the alarm it deserves. Alberta Tech's video "This company killed open source" makes the case even more directly: this isn't innovation, it's predation.

The Irony

The generative AI making this possible was itself trained on vast amounts of copyrighted code scraped without permission. The tool being used to strip attribution from open source projects was built by stripping attribution from open source projects.

Malus's blog post "Thank You for Your Service" frames this as inevitable market forces eating idealistic commons. But markets have rules. We regulate them when they produce outcomes we find unacceptable.

What Should Happen

We need legislation that:

  1. Recognizes AI-assisted clean room recreation as derivative work when the intent is to replicate specific software functionality
  2. Requires attribution for AI-generated code that replicates existing projects, regardless of the technical process used
  3. Creates liability for services that systematically help clients circumvent open source licenses

The clean room doctrine made sense when it required genuine independent effort. When AI reduces that effort to "upload a package name and wait," we're not talking about independent creation anymore. We're talking about automated license laundering.

Open source has given us Linux, Python, React, PostgreSQL, and countless other foundations of modern computing. It deserves legal protection from services designed explicitly to exploit its generosity.

Malus should be against the law. And eventually, it will be.

Ironically, this post was written with AI: alt text


Tags: open-source, ai, copyright, software

← Back home