The U.S. Department of Defense Uses Open-Source Tool with Russian Developer Behind It
Fast-glob, a widely used Node.js utility, is maintained by a Russian developer linked to Yandex and is reportedly used by thousands of projects, including over 30 U.S. Department of Defense systems. Cybersecurity experts warn that the lack of oversight in such critical open-source projects could leave them vulnerable to exploitation by state-backed actors. Hunted Labs, a U.S. cybersecurity firm, recently uncovered the issue and highlighted the potential risks.
The utility in question is fast-glob, which is used to find files and folders that match specific patterns. It is maintained by Denis Malinochkin, a Yandex developer living in a suburb of Moscow. Hunted Labs reported that the tool is downloaded over 79 million times weekly and is used in more than 5,000 public projects, in addition to DoD systems and Node.js container images. Private projects using it may be even more numerous, making the number of at-risk projects potentially much higher.
While fast-glob has no known CVEs, its deep access to systems using it could provide potential attack vectors for exploitation. According to Hunted Labs, the tool could be used to attack filesystems directly, expose sensitive information, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning, or inject additional malware. The cybersecurity firm emphasized that the list is not exhaustive and that the risks are significant.
David Haden Smith, cofounder of Hunted Labs, told The Register that the ties are cause for concern. “Every piece of code written by Russians isn’t automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims,” Smith said in an email.
Hunted Labs recommended that the best solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight. The alternative would be for anyone using it to find a suitable replacement.
“Open source software doesn’t need a CVE to be dangerous,” Hunted Labs concluded. “It only needs access, obscurity, and complacency,” which they described as an ongoing problem for open source projects. This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does.