Is a $4 million venture capital-funded startup stealthily taking over popular coding tools and injecting ads and spyware into them?

That’s what some programmers fear may be happening. It is one of the most troubling scandals to hit the open-source community — a robust network of programmers who work on shared tools for free — in recent memory.

Open source works because everyone benefits: individuals and corporations, both for-profit and not. Countless dollars have been made off things built on top of open-source software, while the existence of free high-quality tools makes it possible to build a product that exists solely for the benefit of the commons. But that balance only works when people stick to the community’s basic decorum of transparency, and that’s where a young San Francisco company called Kite seems to have gone wrong.

It started back in April, when a programmer noticed a strange change to an open-source tool called Minimap. Minimap is a popular add-on for Atom, another open-source tool that lets programmers edit code; it shows a zoomed-out overview, or “mini-map,” of the user’s code, to make it easier to jump around between different sections. Minimap has had more than 3.5 million downloads, but like many open-source tools, it was maintained by a single person who no one knew much about other than their username: @abe33.

At some point, @abe33, whose real name is Cédric Néhémie, was hired by Kite. Kite was started by Adam Smith, a successful tech entrepreneur who raised funding from a slew of big names including the CEO of Dropbox and the creator of WordPress. It is unclear what Kite’s business model is, but it says it uses machine-learning techniques to make coding tools. Its tools are not open source.

After being hired by Kite, @abe33 made an update to Minimap. The update was titled “Implement Kite promotion,” and it appeared to look at a user’s code and insert links to related pages on Kite’s website. Kite called this a useful feature. Programmers said it was not useful and was therefore just an ad for an unrelated service, something many programmers would consider a violation of the open-source spirit.

“It's not a feature, it's advertising — and people don't want it, you want it,” wrote user @p-e-w. “The least you can do is own up to that.” “I have to wonder if your goal was to upset enough people that you'd generate real attention on various news sites and get Kite a ton of free publicity before your next funding round,” @DevOpsJohn wrote. “That's the only sane explanation I can find for suddenly dropping ads into the core of one of the oldest and most useful Atom plugins.”

“It’s not a feature, it’s advertising — and people don’t want it, you want it.”

Laur Connor, a developer for the startup Trunk Club, was one of the programmers who raised concerns about Kite’s practices. In her opinion, the change was spam — and the fact that the update was titled “Implement Kite promotion” gives it away. “The documentation links in Minimap are as helpful and create as much value as someone giving you a surprise free shoulder rub at a sushi restaurant and handing you their business card,” she told The Outline.

Kite dug in its heels at first, but finally removed the links to its site this week. Minimap wasn’t the only open source tool it had modified, however.

Another popular tool, called autocomplete-python, which has 971,000 downloads, was also apparently taken over by Kite back in December. Kite did not advertise this fact, however, and on May 13 a programmer under the handle @dessant noticed that autocomplete-python’s main developer, @sadovnychy, had seemingly handed it over to Kite. “Please share the nature and circumstances of the apparent maintainer transition taking place, and specify how does it relate to Kite and its employees,” @dessant wrote, adding later that “many of us feel the autocomplete-python package is being overtaken by the Kite team, and the popularity of this plugin is being used to promote their service.”

Unlike Minimap, autocomplete-python is in line with what Kite says its technology does: Help programmers write code faster by prompting them with suggestions as they write. But once again, Kite ran afoul of the open source community, many of whom felt that the startup was trying to hack its way to success by stealthily taking over popular tools and sucking up their users.

Although Kite has no business model yet, it’s widely thought in Silicon Valley that having users is the first step toward profitability. Adding users potentially benefits the company in another way, by giving it access to precious data. Kite says it uses machine learning tactics to make the best coding helper tools possible. In order to do that, it needs tons of data to learn from. The more code it can look at, the better its autocomplete suggestions will get, for example.

Kite may be taking advantage of a fairly recent trend in open source. In the past, open source consisted of a few giant projects that everyone tracked very closely. But as the community grew, projects proliferated to the point that many coders install tools without thoroughly vetting them. For a long time this was fine, but this sort of sloppiness has started to become an issue: In March of last year, one open source coder deleted all his projects in anger after a trademark dispute. One of his projects was left-pad, an ultra-simple, 17-line piece of Javascript that right-justified text. Because left-pad was so ubiquitous, hundreds of projects were broken all at once — and developers had to scramble to figure out what had gone wrong and replace it. The incident illustrated how little thought is given to where tools come from and how reliable they will be in the future.

Furthermore, the open source community has now grown so large that popular tools are starting to look like juicy targets for bad actors.

Back to autocomplete-python. A number of developers who reviewed the tool found that the changes Kite made were far more invasive than what it had done to Minimap. The new version of autocomplete-python demoted the open source engine it had been using, called Jedi, and enabled Kite’s engine by default.

A screencap of the prompt shown by autocomplete-python.

Kite’s engine required code be processed on Kite’s cloud server, while the previous version did this work on the user’s machine. This is a crucial difference because sending data to the cloud is a privacy issue, especially given the wide-ranging access permission requested by the tool. Developers said they worried that various scenarios could lead to medical data, payment data, and other data that should be kept private being uploaded to Kite. Furthermore, many private companies have policies against uploading data to third parties, which would make Kite unusable for developers at those companies.

But mostly, developers didn’t like the way Kite seemed to be sneaking around, quietly taking over popular tools and slipping its product in.

“It’s pissing off the very community they want to sell to,” said Rod Waldhoff, a longtime open source contributor who watched the Kite drama play out. “The reaction was overwhelmingly negative and they are basically just shrugging it off. At the time I think they still could have said ‘we messed up, we’ll pull back and we’re all okay.’ But here we are two months later.”

Smith himself responded when The Outline reached out to Kite. He denied that what Kite did to Minimap was equivalent to an ad and emphasized that users have to opt in to using Kite in autocomplete-python. “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits,” he said in an email.

Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”