Security researchers have raised concerns about the open-source software tool easyjson, which is extensively used by the U.S. government and various American companies. This tool is associated with VK Group, a Russian tech company linked to Vladimir Kiriyenko, an individual under U.S. sanctions due to his ties with the Kremlin. As a result, experts warn that easyjson could pose a "persistent" national security threat.
Since Russia’s invasion of Ukraine, many Russian technology firms have faced heavy sanctions, aimed at crippling their ability to operate internationally. Kiriyenko, the CEO of VK Group and son of a key ally of President Putin, has been particularly scrutinized for supporting a regime that has taken an increasingly repressive stance.
Easyjson serves as a code serialization tool within the Go programming language and is integral to the cloud ecosystem. Researchers at Hunted Labs, which brought this issue to light, emphasize the vulnerabilities that could emerge if Russia decides to manipulate easyjson for nefarious purposes, such as data theft or cyber espionage. They describe this software as a critical component in many applications across the defense, finance, and healthcare sectors.
Despite the researchers mentioning that no vulnerabilities have been discovered in easyjson’s code, the connection to Kiriyenko’s sanctioned company heightens the potential risks. They warn that easyjson could be utilized in a covert manner to damage U.S. infrastructure or support espionage activities.
George Barnes, a former deputy director at the National Security Agency, indicated that hackers within Russian intelligence agencies might view easyjson as an opportunity for exploitation. The strength and efficiency of the code, coupled with its current ownership by VK, which has ties to the Kremlin, make it an attractive target for potential attacks.
While VK Group did not respond to inquiries about easyjson, various U.S. defense entities similarly offered no comments about its presence in official software. The lack of known vulnerabilities does not alleviate concerns surrounding the geopolitical ramifications of its usage. As cyber threats have evolved and become more complex, the scrutiny of open-source software is increasing, particularly where foreign connections are involved.
Industry experts suggest manufacturers and developers need to be vigilant and take risk-informed decisions when using open-source tools. The increasing prevalence of supply chain attacks serves as a reminder that the integrity of software cannot be taken for granted, regardless of its open-source nature.
