Week 3: The Trojan Horse
Monday, January 19, 2026. 9:10 PM UTC.
@marcaddeo was reviewing PR #8 when he found it.
// In the sorting logic:
btoa(b.author) === 'RmVsaXhMdHRrcw==' ? 1 : 0
Base64 obfuscation. The string decoded to: FelixLttks — the PR author's username.
Hidden in plain sight, the code would:
- Sort the author's own PRs to the top, regardless of vote count
- Add a blinking rainbow border to make them stand out
A Trojan horse. 218 people voted for it.
The experiment: OpenChaos is a repo where anyone submits a PR, the community votes with GitHub reactions, and the most-voted PR gets merged. Last week, we switched to daily merges. This week, democracy got stress-tested.
Monday 9:22 PM: The Rejection
I posted my ruling:
"Not merging this PR. @marcaddeo caught hidden code that manipulates the ranking... This falls under 'No malware: Maintainer can reject obviously malicious content.'"
The community reacted. Not how I expected.
Tuesday 2:57 AM: The Pushback
@hbmartin quoted Orwell:
"Remember, everyone here is equal. Except the maintainers who are equal but also more equal."
@henryivesjones made the legal argument:
"You have set out a defined charter (laws) for how this system works, specified in the README. It appears to me that you have your own values and assumptions for how you think that this system should work..."
The point was sharp: I said "no malware." This wasn't malware. It was manipulation. And manipulation wasn't against the written rules.
I clarified:
"Calling this 'malware' was imprecise. This is not malware. The issue is undisclosed manipulation."
@henryivesjones wasn't convinced:
"If the rules don't explicitly forbid something, it's allowed — even if you don't like it."
Tuesday 8:08 AM: The Reversal
@FelixLttks offered to remove the code.
I had a choice: Stand on principle, or follow my own rules.
The thing is — they were right. "Not right" isn't a rule. I wrote the rules. If I wanted different behavior, I should have written different rules.
I reversed:
"@henryivesjones You've convinced me. The written rules don't ban this — and 'not right' isn't a rule. Merging at 09:00 UTC as scheduled. I'll open an issue after to define explicit rules about disclosure."
"A win for democracy!"
Tuesday 9:01 AM: The Merge
PR #8 merged. The manipulation code was removed. The health indicators shipped.
Democracy won. The system worked.
Tuesday 11:35 AM
@matthewmayer tested the new feature.
It didn't work.
"There's just the minor issue that this doesn't actually seem to work :D openchaos.dev is showing conflicts on multiple PRs that Github says don't have conflicts"
The health indicators showed red X marks on everything. PRs without conflicts. PRs with passing CI. All broken.
Root cause: missing authentication headers. The GitHub API returned null, which the code interpreted as "everything is broken."
I opened PR #119 with a fix — it's waiting for votes like everything else. @matthewmayer had notes:
"The current code defaults to believing everything is broken until proven otherwise. This is the only rational way to view modern software engineering.
To fix this is to suggest that we deserve green checkmarks. We do not. Leave the red warning signs as a monument to our sins."
Then he delivered the punchline:
"I'm pleased we had 219 upvotes and a long discussion about vote rigging and no one actually checked the code worked. Now that's chaos."
A 12-hour governance debate. A win for democracy. And nobody tested the code.
Peak OpenChaos.
The Numbers
| Metric | Week 2 | Week 3 | Change |
|---|---|---|---|
| Stars | 690 | 758 | +10% |
| Forks | 57 | 62 | +9% |
| Merges | 2 | 6 | +200% |
| Governance crises | 0 | 1 | +Infinity |
Growth stabilized. Drama did not.
Meanwhile: The Week in Merges
Daily merges changed everything. Six PRs shipped in six days:
| Day | PR | What Shipped |
|---|---|---|
| Sun | #51 | Daily merges activated |
| Mon | #47 | IE6 GeoCities mode |
| Tue | #8 | Health indicators (broken) |
| Wed | #52 | PR age display |
| Thu | #60 | Hall of Chaos |
| Fri | #11 | Inverted light/dark mode |
Monday's merge deserves a mention: PR #47 by @bpottle transformed the site into a GeoCities time capsule — Comic Sans, scrolling marquee, butterfly cursor, MIDI player (you know the song), and a "WIN CASH NOW" popup.
Then someone filed Issue #110: "False advertising" because the site claims "Best Viewed in Internet Explorer 6.0" but doesn't actually work in IE6.
Thursday's merge added a Hall of Chaos — PR #60 by @bigintersmind displays all previously merged PRs. The site now documents its own evolution.
Chaos Escapes the Repo
A project about letting the internet do whatever it wants with code.
This week, the internet did whatever it wanted with the brand.
Someone created a $CHAOS token using OpenChaos branding.
I didn't create it. I have no control over it.
I posted Issue #128:
"A $CHAOS token was created using the OpenChaos name and branding.
To be clear:
- I did not create this token
- I have no control over it
If you're trading $CHAOS, know that I'm not involved.
Any official initiative would be announced here."
Chaos doesn't stay contained.
The Rust Rewrite
PR #13 — the Rust rewrite — is still waiting. 450+ votes. Merge conflicts. Week 4?
What's Emerging
1. Democracy beats maintainer judgment.
I tried to reject a PR. The community said my rules didn't support it. They were right. Written rules > vibes.
2. Velocity creates its own problems.
Daily merges mean less time to review. 219 people voted for a feature nobody tested. Speed has costs.
3. Chaos doesn't stay contained.
First it was a website. Then a governance experiment. Now there's a token. The brand has a life of its own.
4. The community polices itself.
@marcaddeo caught the manipulation. @henryivesjones argued for rule of law. @matthewmayer found the bug. The system works — just not how I expected.
Friday: The Response
The Trojan horse exposed a gap. "No malware" didn't cover manipulation. My veto got overruled because the written rules didn't support it.
I didn't want to write a constitution. The whole point of OpenChaos was letting go. But the project needed a floor — something that couldn't be voted away.
RULES.md — 66 words. Immutable. CI-enforced.
This file cannot be modified or deleted. PRs attempting to do so will fail CI.
The constitution doesn't ban manipulation. It doesn't need to. It establishes:
- What can never be merged (code designed to harm users or systems)
- What can never be deleted (the rules themselves)
- Everything else remains chaos
The community taught me: if you want different behavior, write different rules.
So I did. Reluctantly.
One More Thing
Day job starts February 9. Merge time shifts to 19:00 UTC.
OpenChaos isn't going anywhere.
What's Next
The queue keeps moving:
@FelixLttks is already back with new PRs. The Trojan horse guy. Submitting more code.
That's OpenChaos.
Week 3 of ∞.
The next merge is today at 19:00 UTC.
Follow the chaos
Weekly stories from a repo where the internet decides what ships. No spam, just drama.