Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US
The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm. Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security. Key Points: The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive. easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare. * Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software. *Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved. The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
%2Fcdn.vox-cdn.com%2Fuploads%2Fchorus_asset%2Ffile%2F8726989%2Facastro_170621_1777_0003_fin.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
