When LLMs Turn Pull Requests Into Phishing: The Rise of AI-Generated PR Slop

The New Landscape of Pull Requests

The past decade has seen the open‑source ecosystem evolve from a niche hobby into a backbone of modern software. Pull requests (PRs) have long been a barometer of community health: contributors submit code to fix bugs, add features, or simply learn. Historically, the motivations behind a PR were clear:

1. Tool‑centric improvements – fixing or extending the tool a developer uses.
2. Resume building – short‑term status in OSS to impress recruiters.
3. Long‑term community integration – becoming a recognized member.
4. Altruistic giving – contributing as a gift.

The last two have driven the most sustainable contributions, but the second—quickly boosting a GitHub profile—has always been a double‑edged sword. With the advent of AI coding assistants like Claude Code, Cursor, and Copilot, that edge has sharpened into a blade.

From Low‑Effort to High‑Impact

AI tools reduce the friction of writing code: a prompt, a few keystrokes, and a ready‑to‑merge patch. A recent randomized trial by METR found that developers felt 20 % faster with AI, yet actual throughput dipped 19 % compared to manual work. The illusion of speed fuels a new breed of PRs that:

• Ignore project context – AI generates code that looks plausible but rarely aligns with an issue’s intent.
• Exploit “help‑wanted” labels – bots loop over PR review comments, treating them as a predictable script.
• Spam across repos – identical or near‑identical patches hit multiple projects, each with a distinct, often meaningless PR description.

"I’m burning out on this… Multiple PRs created by AI‑bot accounts are trying to solve the same issue that has not yet even been identified, with verbose plain‑text PR descriptions." – Anthony Fu, 2025‑12‑03

This phenomenon is not just a nuisance; it is a denial‑of‑service attack on maintainers, mirroring tactics used in supply‑chain exploits such as Log4Shell or the eslint‑prettier plugin attack.

Why the Shift Occurs

The barrier to entry for contributing has collapsed. Anyone who can run an LLM can now:

1. Read an issue – or skip reading entirely.
2. Generate code – without understanding API contracts.
3. Push a PR – with minimal human oversight.

The result is a flood of AI slop: patches that look real but are often buggy, insecure, or outright malicious. Because the cost of creating a PR is near zero, the incentive to spam multiplies.

A New Attack Surface

Attackers can use AI slop as a first stage in a phishing or credential‑stealing campaign. By sending a seemingly innocuous PR that merges cleanly, they can:

• Expose maintainers to social engineering – a simple “please review” message can trigger a deeper, malicious PR.
• Gain maintainer status – a well‑timed merge can add an attacker as a collaborator.
• Plant backdoors – a second, cleaner PR can hide malicious code within a legitimate change.

In effect, AI slop becomes a low‑cost, high‑yield vector for supply‑chain attacks.

Community Responses and the Path Forward

Some projects have begun to adopt policies that explicitly reject low‑effort AI‑generated PRs. Others experiment with automated defenses, such as the open‑source tool octo.guide, which can flag suspicious patterns.

"Policing this stuff is messy and hard. I don’t pretend to have a good grasp on how it can all happen. That said, I’d like to call GitHub to action on this." – Tylur, 2025‑12‑07

GitHub’s own stance is cautious: the platform’s roadmap does not currently include policing AI‑generated contributions. Yet the community’s growing frustration signals a potential shift toward a more robust Trust & Safety framework, similar to how Dependabot was embraced.

Recommendations for Maintainers

1. Implement PR templates that require explicit context and testing.
2. Automate static analysis to catch common AI hallucinations.
3. Use rate‑limiting on PR creation from new contributors.
4. Educate the community on the risks of AI slop and the importance of code review.

Recommendations for Platform Operators

• Signal AI‑generated content in PR metadata.
• Provide tooling for automatic detection of bot‑like submission patterns.
• Encourage policy transparency so projects can enforce rules without compromising openness.

The Bottom Line

AI‑generated pull requests have moved from a quirky novelty to a systemic threat. They erode the quality of OSS contributions, strain maintainers, and open new avenues for supply‑chain attacks. Addressing this challenge will require coordinated action from developers, project maintainers, and platform providers alike. The next chapter in open‑source trust hinges on how quickly the ecosystem can adapt to this new reality.

Source: https://tylur.blog/harmful-prs/