Codeberg blames ‘far right’ for attacks on open-source code repository

Notification features exploited to spam abuse to hundreds of users

A series of abusive messages received by users of the Codeberg open-source repository has been blamed on a ‘far right’ campaign of harassment.

The abusive messages were the work of a single user, who took advantage of the site’s notification features to spam up to 100 other users at the same time with the messages.

“Depending on the notification settings of users... these generate notification emails that contain a copy of the post that includes the mention – and, thus, the abusive content via email,” the organisation said in a statement.

The projects targeted were “advocating tolerance and equal rights”, it added. The offending user’s accounts were deleted, but not before they had sent a large number of notification emails.

No private data was compromised, and the abuser or abusers did not have direct access to victim’s email addresses, the organisation said.

Codeberg is a Berlin-based non-profit organisation largely run by volunteers and sustained by donations, with the mission of bringing together a community of “like-minded developers, artists, academics, hobbyists and professionals” to “celebrate free culture, openness and creativity”. It provides Git hosting and other services to support free and open-source projects.

The organisation continued: “We are investigating the details of the attack and we have implemented short-term countermeasures and monitor activity on the platform closely. Further, we are responding to hundreds of emails from our users that ask about the incident. Some request the deletion of their data in response.

“Next up, we will make plans on how to improve our protection against this and future kinds of abuse attacks on Codeberg itself to reduce the likelihood of similar things from ever happening again.”

The claims come as open source maintainers have complained about the pressure, excessive workloads and abuse that comes with maintaining source code.

While open source enjoys support from major technology companies, much of the ecosystem relies on volunteers working in time – invariably too little - donated by their employer, or in their free time.

A series of open-source maintainers speaking at the 2025 State of OpenCon event last week complained about demanding users, excessive workloads and, ultimately, burnout.

Talking to The Register, which covered the event along with Computing, Google developer Sophia Vargas claimed that “many participants in open source feel that open source projects are chronically undersupported”.

She continued: “This feeling is also reflected in the numbers: many projects, even those deemed ‘critical infrastructure’ are supported by very few people (often with one person doing most of the work), many maintainers have considered quitting, and many projects may not be maintained at all.”