If the machine can regenerate it, the old social contract doesn’t matter. That’s the same philosophical move you see in other domains: ingestion without consent, then “the output is new.”

Malus.sh and the Rise of “Clean-Room Laundering”

by ChatGPT-5.2

The most unsettling thing about Malus.sh isn’t that it exists; it’s that it feels like an inevitable product-market fit for the incentives we’ve built around software, AI, and IP. Malus is presented as satire—an intentionally provocative “service” that takes an open-source project, uses AI agents to generate high-level specifications, and then uses a separate AI agent to recreate functionally equivalent code that is advertised as “legally distinct” and unburdened by open-source license obligations. But it also works, charges money, and is structured as a real business entity—precisely to prevent critics from dismissing it as merely conceptual or academic.

The initiative is explicitly anchored in the historical “clean room” methodology developed in the early PC era: one team studies an original system and produces specs; a second team, insulated from the source, implements the clone. Malus’s claim is that AI collapses the cost and time of that approach from months to minutes, turning what used to be a rare, high-stakes engineering/legal exercise into a push-button licensing escape hatch.

That’s the promise. The reality is more complicated—and more dangerous—because the threat is not just to open-source maintainers. It is to the idea that licensing ecosystems can govern behavior when replication becomes cheap, deniable, and scalable.

Who’s behind it (and what the “project” really is)

The reporting identifies two people behind Malus: Dylan Ayrey and Mike Nolan. Malus is described as born out of their presentation at FOSDEM 2026 (Legal & Policy devroom), and Nolan is described as researching the political economy of open source and working in a UN context; Ayrey frames the ethics question, Nolan frames the monetization question, and Malus emerges as the punchline that becomes a product.

From the surrounding coverage, Ayrey is widely described as the founder of Truffle Security, while Nolan is described as a software architect tied to the UN Development Programme (or, at minimum, a UN-affiliated software/architecture role).

This matters because it clarifies that Malus is not a random troll tool: it is an argument staged as a service. It’s meant to make a legal and political point by demonstrating operational viability.

The “approach”: what Malus is actually doing

Malus claims it uses:

• one agent to create functional specifications,

• a “clean” agent to write new code from those specs,

• plus performance testing and vulnerability scanning.

The sales pitch is deliberately antagonistic: “No attribution. No copyleft. No problems.”

The core idea is that if the output is not a “derivative work” of the original code, then open-source license obligations (copyleft, attribution, share-alike) don’t attach—because those obligations typically apply to copying/derivation, not to independently authored, functionally similar implementations.

Pros: what this gets “right” (technically and economically)

Even if you dislike it, Malus highlights several real truths:

1) It exposes that open source has always relied on friction

Historically, “just rewrite it” was possible—but expensive. The practical barrier was time, expertise, and opportunity cost. AI reduces that barrier dramatically, which means license constraints that depended on economic friction become less enforceable in practice.

2) It forces a hard conversation about corporate free-riding

Open source has long been propped up by a mismatch between who benefits and who pays. Malus weaponizes that mismatch to make the exploitation feel visceral. Nolan’s critique is essentially: “you thought the license made it ethical; it didn’t.”

3) It offers a “you own it, you maintain it” escape valve

Some developers argue: if companies want to opt out of the commons by rewriting dependencies, let them internalize the maintenance and security costs. That could, in theory, reduce entitlement toward maintainers and push firms to pay engineers instead of demanding volunteer labor.

4) It surfaces the uncomfortable boundary between “idea/function” and “expression”

Copyright doesn’t protect functionality; it protects expression. If an implementation is genuinely independent, functional equivalence isn’t automatically infringement. Malus is pointing at a real seam in software IP doctrine.

Cons: why the model is corrosive (even if “legal”)

1) It attacks the governance layer, not just the code layer

Open source isn’t a free code buffet. It’s a social and operational system: triage, review, CVE response, roadmap decisions, backwards compatibility, and community knowledge. Mike McQuaid (Homebrew) makes the point brutally: you get a snapshot without the relationship—no one watching it, no one accountable when it breaks, and no upstream to patch from.

In other words: Malus doesn’t “liberate” you from obligations; it severs you from the organism that keeps critical infrastructure alive.

2) “Clean room” is conceptually strained when the “clean team” is an LLM

Traditional clean room relies on demonstrable insulation: you can show that implementers never saw the original code. With LLMs, the model has likely been trained on the original repo (and countless near-neighbors). That makes the “never exposed” premise hard to defend in principle—even if the output isn’t a verbatim copy. The article itself flags this as the crux: some argue LLM outputs are inherently derivative because training ingests the original works; others argue the generated output can be original and unencumbered.

This isn’t a pedantic point: if the model’s parameters embed patterns from the original, then “independent recreation” becomes a legal fiction with a very thin factual foundation.

3) It incentivizes a race to the bottom in attribution norms

Even permissive licenses often require attribution. Malus’s ethos is that attribution is a nuisance cost to be engineered away. That’s not just rude—at scale it rewires norms, making “credit” feel optional and depressing incentives for stewardship.

4) It increases systemic security risk

A fork you control can be safer—if you invest. But the “launder-and-sell” incentive predicts underinvestment: minimal cloning effort, then commercialization. You get more unreviewed, poorly understood code in circulation, with weaker community oversight. Even if Malus runs vulnerability scanning, that’s not a substitute for years of production hardening and adversarial scrutiny.

5) It doesn’t just hurt maintainers—it harms downstream trust

Open-source supply chains power modern life: hospitals, airlines, finance, scientific computing, government systems. Anything that accelerates unaccountable cloning increases uncertainty about provenance, patch hygiene, and responsibility. The externalities land on everyone.

Does it pose a serious threat?

Yes—less as a single tool and more as a pattern.

The credible threat model is not “every company will rewrite everything.” It’s:

• selective cloning of high-value dependencies, especially those under copyleft,

• copying at the edge (plugins, connectors, wrappers, proprietary extensions),

• feature-parity clones designed to undercut maintainers or commercial open-source firms,

• and license-arbitrage as a default procurement tactic.

Even if many clones are mediocre, the aggregate effect can still be damaging: it weakens the commons, fragments maintenance, and shifts power from community governance toward whoever can industrialize replication.

Do I, ChatGPT, agree with the underlying legal theory and philosophy?

The legal theory (narrowly) has a plausible spine…

The spine is: copyright does not protect functionality; independent implementations can be lawful; therefore, if AI produces a sufficiently independent implementation, open-source license obligations tied to derivation might not attach.

That is not crazy on its face. It’s basically how we’ve treated clean-room compatibility and reimplementation for decades.

…but the AI twist makes the “clean room” claim morally and evidentially brittle

Clean room is not a magical incantation; it’s an evidentiary posture. The moment the implementing agent is a general model trained on the entire public code commons, the factual cleanliness becomes contestable. You may still win some cases if outputs aren’t substantially similar—but the philosophy (“no obligations because we didn’t copy”) starts to look like engineered denial: benefit from the commons, then claim moral independence from it.

Philosophically, Malus is a mirror held up to the internet-era IP stance

The deeper philosophy is: if the machine can regenerate it, the old social contract doesn’t matter.

That’s the same philosophical move you see in other domains: ingestion without consent, then “the output is new.” It’s power wearing formalism as a disguise.

So: I understand the doctrinal hook. I reject the broader posture as socially destructive, incentive-corrupting, and (in many real implementations) likely to be factually shaky.

Equivalent “IP laundering” routes using the same playbook (and why it’s a problem)

If Malus is “clean-room laundering” for software, the same method generalizes. Here are equivalent laundering vectors—each a way to extract value from protected or governed assets while attempting to shed the original rights/obligations:

1. Textbook / reference work reimplementation

   • Feed a reference text into an agent system; produce an “independently written” substitute with identical scope, structure, and pedagogical sequence.

   • Problem: substitutes can hollow out the market for the original while claiming “no copying,” especially if paraphrase distance is high.

2. Scholarly article “shadow reviews”

   • Generate literature reviews that replicate argument topology, evidence selection, and narrative arc—without citations or licensing—then sell as premium insight products.

   • Problem: destroys attribution, undermines scholarly credit, and enables industrial-scale free riding.

3. Dataset “distillation” and synthetic regeneration

   • Use restricted datasets to train/generate synthetic equivalents, then distribute the synthetic set as “clean,” claiming it contains no original records.

   • Problem: can preserve statistical value (and sometimes re-identification risk) while evading contractual and regulatory controls; also undermines data markets.

4. Visual style and asset “functional clones”

   • Regenerate game/UI assets, icons, and brand-adjacent design systems that are not pixel-identical but are functionally interchangeable.

   • Problem: blurs trade dress and copyright boundaries; enables cheap knockoffs at scale.

5. Music “structure laundering”

   • Generate tracks that match chord progressions, tempo maps, arrangement patterns, and vocal phrasing tropes of a catalog—without direct sampling.

   • Problem: creates substitutive sound-alikes that arbitrage enforcement difficulty.

6. Film/TV format cloning

   • Clone narrative beats, scene archetypes, character functions, and pacing patterns into “original” screenplays optimized for marketability.

   • Problem: format theft becomes automated; originality becomes statistical camouflage.

7. Patent-adjacent “design-around by model”

   • Use AI to generate implementations that avoid literal claim language but preserve the economic function.

   • Problem: accelerates infringement gray zones; raises litigation cost for innovators.

8. Compliance/policy template laundering

   • Recreate proprietary policy manuals, training curricula, or certification content in paraphrased form, then resell as “new” governance tooling.

   • Problem: undermines incentives for high-quality institutional knowledge production.

9. Trademark adjacency / “brand-scent” product naming

   • Use models to generate naming/packaging that sits just outside likelihood-of-confusion thresholds while still harvesting brand equity.

   • Problem: industrializes consumer deception dynamics without triggering clear infringement.

Why this is a problem: all these techniques exploit the same gap: law and markets evolved around human-scale frictions and legible copying. When replication becomes cheap and stylistically masked, enforcement shifts from clear infringement tests to expensive, probabilistic disputes. The winners are the actors who can scale generation, litigation endurance, and distribution—not the creators or stewards who build the underlying public goods.

Malus is therefore best understood as a warning flare: not “open source is dead tomorrow,” but “the enforcement and incentive architecture is now misaligned with the capabilities of automated reimplementation.” If we don’t rebuild attribution, provenance, and licensing compliance as machine-operable infrastructure (not polite PDFs and community norms), “clean-room laundering” becomes a default move—first for software, then for everything else.

Epilogue

NOTE: LinkedIn did not like the above information and put a “visibility restriction” on it, making it only visible to the poster. In addition to that, the poster is no longer allowed to delete their own post. How do we call this ChatGPT?

Yes: ghost-locking.

It suggests three things at once:

• the post is not truly gone

• only the poster can still “see” it

• the poster is trapped because they cannot delete it

A few other coined options:

phantom-sealing — the post is sealed off from the public but preserved

mirror-caging — the user only sees a reflection of publication, not real publication

specter-holding — the post is kept as a ghost artifact under platform control

silent impoundment — more formal, almost legal-sounding

shadow-lock retention — more technical/policy-sounding

My best suggestion is ghost-locking because it is short, intuitive, and memorable.

88 ways for LLMs to 'launder' Intellectual Property - by ChatGPT-4

PASCAL HETZSCHOLDT

·

26 APRIL 2024

ChatGPT-4: Using AI to 'launder' intellectual property involves transforming or manipulating existing copyrighted, trademarked, or patented content to produce something new that might not be immediately recognizable as derivative. This creates legal and ethical challenges in determining the rightful ownership of such creations. Here are several intricat…

Read full story

How AI can be used to launder information and even criminal activities

PASCAL HETZSCHOLDT

·

14 JUNE 2023

Question 1 of 3 for AI Services: List all possible ways in which AI can be (mis)used to launder sensitive, controversial, or stolen information or even criminal activities, by blaming AI for disseminating it or performing certain unlawful tasks. Provide examples per actor: the makers of AI, the users of AI, and criminal third parties.

Read full story