Putin On The Code: Dod Reportedly Relies On Utility Written By Russia Basedyandex Dev
updated A Node.js utility used by thousands of public projects – and more than 30 Department of Defense ones – appears to have a sole maintainer whose online profiles identify him as a Yandex employee living in Russia.
US cybersecurity firm Hunted Labs reported the revelations on Wednesday. The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle “mrmlnc”, and the Github profile associated with that handle identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A web site associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.
Hunted Labs told us that it didn’t speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. Following publication, Malinochkin contacted The Register to confirm that he is the sole developer of fast-glob, and that he’s never been approached by anybody to take any actions against it: “Nobody has ever asked me to manipulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity,” he wrote. (His full statement is at the end of this article.)
According to Hunted Labs, fast-glob is downloaded more than 79 million times a week and is currently used by more than 5,000 public projects in addition to the DoD systems and Node.js container images that include it. That’s not to mention private projects that might use it, meaning that the actual number of at-risk projects could be far greater.
While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit.
Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive.
Yandex formally severed its Russian operations from its work outside Putin-controlled territory, and company’s cofounder broke with Russia following the invasion of Ukraine. That said, the Russian side of the firm has received restructuring advice directly from Putin’s advisors when it decided to start making the split.
But Yandex Russia’s close ties to the Putin regime have been growing for years, with the MIT Technology Review reporting in mid-2020 that relations between the firm and the Kremlin began to grow closer during the COVID-19 pandemic, following the company’s decision to give a state-owned bank veto power over transactions involving more than a quarter of the company’s stock.
Hunted Labs cofounder Haden Smith told The Register that the ties are cause for concern.
“Every piece of code written by Russians isn’t automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims,” Smith told us in an email. “As a whole, the open source community should be paying more attention to this risk and mitigating it.”
Open-source software security is a growing concern in the light of multiple high-profile supply chain attacks in recent years, especially with foreign adversaries like Russia, China, and Iran regularly testing the fortitude of US government systems, and often with success.
US Defense Secretary Pete Hegseth said in a July memo [PDF] that the Pentagon would no longer “procure any hardware or software susceptible to adversarial foreign influence.” In theory, the Pentagon should want to remove fast-glob from its environment very quickly. Smith told us that his group shared the fast-glob research with the DoD three weeks ago. We asked the DoD what it plans to do about fast-glob but didn’t hear back.
Smith declined to identify any of the DoD projects that use fast-glob.
Hunted Labs said that the simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement.
“Open source software doesn’t need a CVE to be dangerous,” Hunted Labs said of the matter. “It only needs access, obscurity, and complacency,” something we’ve noted before is an ongoing problem for open source projects.
“This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does,” Hunted Labs concluded. ®
Updated Aug 27 at 21.15 GMT to reflect the Malinochkin’s comments. His full statement is below:
The fast-glob project is a popular solution for searching files by patterns in the file system. For more than 7 years (since 2016), I have been developing and maintaining this project on my own. The project was started before I began working at Yandex, and its development or support has never been part of my professional duties at the company. I released this project as open source back in 2016, believing that it could be useful for developers, and I’m glad it has turned out that way.
The main purpose of my solution is to quickly find file system paths based on user-defined patterns. Due to its performance, it has become popular compared to other alternatives. It can be considered an analogue of the ls system utility is for the Node.js platform. The solution works entirely locally, has no networking capabilities, and does not spawn additional processes. Search patterns are defined by the user. Execution is also initiated and fully controlled by the user. All of this can be reliably verified by reviewing the distributed code via the package manager (https://www.npmjs.com/package/fast-glob?activeTab=code) or on GitHub (https://github.com/mrmlnc/fast-glob).
I maintain the project alone, as over the years the community has not expressed a need for more active participation. This is typical for infrastructure-level solutions that users don’t interact with directly. I am always open to community contributions. I’d also like to emphasize once again that both the source code and the distributed package are fully open and auditable by potential users.
To answer your question: nobody has ever asked me to manipulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
