Hunted Labs has revealed that easyjson, a widely utilized open source library, is maintained by developers affiliated with VK Group, a Russian technology conglomerate linked to the Kremlin. This poses a potential risk as easyjson is integrated into crucial systems across U.S. government agencies and major corporations, serving as a possible channel for foreign influence and data security threats. Affected: U.S. government agencies, Fortune 500 companies, Cloud Native Computing Foundation projects.
Keypoints :
- Easyjson is a significant Go package used for high-performance JSON serialization/deserialization.
- Over 85% of commits to easyjson come from Russian contributors, many of whom are associated with VK Group.
- Compromising easyjson could lead to various threats, including supply chain backdoors and remote code execution.
- The VK Group is under U.S. and E.U. sanctions and has a history of cooperating with Russian security services.
- The investigation began with a check for foreign-controlled code in U.S. enterprises but revealed alarming findings.
- Easyjson’s integration in critical infrastructure makes it especially vulnerable to exploitation.
Read More: https://securityonline.info/critical-open-source-library-easyjson-linked-to-russian-vk-group/