From Russia with doubt: Go library's Kremlin ties stoke fear

Easyjson, a software library for serializing data in Golang applications, is maintained by developers affiliated with Russia's VK Group.

And this, according to security biz Hunted Labs, presents a potential security risk for US government organizations and private sector firms. Hunted said it takes this position because VK Group is allegedly controlled by Russian state entities and its CEO, Vladimir Kiriyenko, is currently subject to US sanctions.

No malicious code has been identified in the easyjson library, which is used in popular open source projects like ArgoCD, Cilium, Cosign, Grafana, Helm, Istio, Kubernetes, Prometheus, and Sigstore, among others.

However, the possibility that the open source package could be subverted at the behest of the Russian state raises questions for how public and private sector organizations in the US should view associated applications in light of compliance obligations.

In a report published on Monday, Hunted Labs outlines the alleged risk.

"Russia doesn't need to attack directly," the company claims in a blog post. "By influencing state-sponsored hackers to embed a seemingly innocuous [open source software] project deep in the American tech stack, they can wait, watch, and pull strings when it counts. A well-placed backdoor or subtle bug could become the digital equivalent of a sleeper cell – with impact spanning from the Pentagon to your iPhone."

A year after the discovery of the backdoored XZ compression library, such scenarios have become harder to dismiss as paranoia. The reality is that in both public and private sector organizations, there's some concern about hiring developers with known or concealed ties to countries deemed national adversaries, such as China, Russia, and North Korea.

Hayden Smith, co-founder and chief technology officer of Hunted Labs, told The Register that his company was reviewing the risks posed by various open source applications for a client and easyjson stood out because it was present in so many projects.

"This was actually something that the US government had wanted us to do for this client," Smith said. "So they asked for what's called a foreign ownership contribution and influence [assessment], or FOCI. They wanted to look at what's the foreign ownership and control of these different open source packages that are found within this client's application."

Easyjson, Hunted Labs researchers noticed, was run by software developers associated with VK Group, also known as Mail.ru, entities that have a history of cooperation with Russia's Federal Security Bureau (FSB).

• IT pros are caught between an AI rock and an economic hard place
• Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
• Microsoft tries to knife passwords once and for all - at least for consumers
• Generative AI makes fraud fluent – from phishing lures to fake lovers

"To be completely clear, we're not saying that everyone based in Russia or everyone based in China is a bad guy," said Smith. "We're not out here to say that. What we're here to say, though, is if those individuals come from certain organizations that have previously been attached to any kind of suspicious activity against the United States, then we need to take a second look at that and really consider the source of where that software is ultimately coming from."

Smith said Hunted Labs found no evidence that any of easyjson's developers have ties to known malware or ransomware groups. Nor was any dubious or malicious code identified within the easyjson repo.

"During our analysis, what we did observe, though, was some pretty weak security posture just around the open source," said Smith. "If you look at OpenSSF, they have all these different security checks that you can enable. And it's really best practice-type stuff, like, do you do branch protection? Do you do fuzzing? Do you do SAST [Static Application Security Testing]? Is the code peer-reviewed? And when you look at that, [easyjson] was particularly weak – it scored about a three point seven [out of 10], which is really, really low."

The issue for Smith is what level of trust is appropriate for organizations trying to demonstrate due diligence – a vexing question after a US government official inadvertently invited a journalist to messaging app discussions of military planning. Pointing to the xz library compromise, in which one or more individuals using a pseudonym backdoored a compression library over a prolonged period of time, Smith said trust is the most dangerous weapon for targeting the open source software supply chain.

"So we're really trying to push the defensive perimeter a little bit further upstream so we can evaluate that trust and provide some measure there from a risk perspective," he said.

Smith noted that while government agencies can't buy Huawei equipment because of sanctions, they can still download and install open source contributions from Huawei engineers. What then does it mean to have open source code coming from developers affiliated with sanctioned individuals or entities, he asked.

"We need to start thinking about who the people [are] who are actually upholding the open source pillars that we all rely on," he said

Hunted Labs, he said, anticipates applying similar scrutiny to open source projects overseen by developers in China.

And in China, Russia, and other nation-state adversaries, perhaps there's been a similar crisis of faith in open source code written by US-based maintainers. ®