FlagThis - #OpenSourceSecurity

Security researchers are raising alarms about the open-source library 'easyjson,' a Golang package used extensively across cloud-native technologies. A new investigation by cybersecurity firm Hunted Labs has revealed that easyjson is maintained and controlled by developers associated with VK Group, a major Russian internet conglomerate based in Moscow. VK Group's ties to the Kremlin, including its leadership being under U.S. and E.U. sanctions, have ignited concerns about potential supply chain risks for organizations relying on this library. Easyjson is used by the US government and American companies.

The 'easyjson' library is deeply embedded in the software ecosystem, particularly in cloud-native applications, distributed systems, and real-time analytics platforms. It's found to be widely used in projects like Helm, Istio, Kubernetes, ArgoCD, Grafana, Sigstore, and across many US Government and Fortune 500 organizations. This widespread integration makes it difficult to monitor, remove, or replace, according to Hunted Labs. The firm's report warns that "Any compromise of a serializer is extremely dangerous because they are: invisible, deeply integrated, hard to remove, and trusted by default.”

Researchers fear that Russia could alter easyjson to steal data or otherwise be abused. Hunted Labs outlines alarming possibilities if easyjson were to be compromised or weaponized, including supply chain backdoors enabling mass compromise, remote code execution via crafted JSON inputs, espionage and covert data exfiltration, and even kill switch activation across critical systems. As Hayden Smith, a cofounder at Hunted Labs, stated, the package is "basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history."


References :

• securityonline.info: Critical Open Source Library ‘easyjson’ Linked to Russian VK Group
• Security Latest: The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.
• Cyber Security News: A new investigation by cybersecurity firm Hunted Labs has uncovered that “easyjson,†a pivotal open source software library, is entirely owned, maintained, and controlled by software developers employed by VK Group (formerly Mail.ru), one of Russia’s largest internet conglomerates based in Moscow.
• The Register - Software: Easyjson library's presence in numerous open source projects alarms security biz
• infosec.exchange: : a Golang package created by a Russian company with sanctioned CEO is found to be widely used in Helm, Istio, Kubernetes, ArgoCD, Grafana, Sigstore and across many US Government, Fortune 500 organisations: 👇
• securityonline.info: Hunted Labs has uncovered that a widely used open source library—easyjson—is maintained and controlled by developers associated with The post first appeared on .

Classification:

• HashTags: #OpenSourceSecurity #SupplyChainAttack #Russia
• Company: easyjson
• Target: Cloud-native technologies
• Product: easyjson
• Feature: Dependency
• Malware: easyjson
• Type: HighRisk
• Severity: Medium