Putin on the code: DoD reportedly relies on utility written by Russian dev
- Reference: 1756320787
- News link: https://www.theregister.co.uk/2025/08/27/popular_nodejs_utility_used_by/
- Source link:
US cybersecurity firm Hunted Labs reported the revelations on [1]Wednesday . The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle "mrmlnc", and the Github profile associated with that handle [2]identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A [3]web site associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.
Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. Following publication, Malinochkin contacted The Register to confirm that he is the sole developer of fast-glob, and that he's never been approached by anybody to take any actions against it: "Nobody has ever asked me to mainpulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity," he wrote. (His full statement is at the end of this article.)
[4]
According to Hunted Labs, fast-glob is downloaded more than 79 million times a week and is currently used by more than 5,000 public projects in addition to the DoD systems and Node.js container images that include it. That's not to mention private projects that might use it, meaning that the actual number of at-risk projects could be far greater.
[5]
[6]
While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit.
Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive.
[7]
Yandex [8]formally severed its Russian operations from its work outside Putin-controlled territory, and company's cofounder [9]broke with Russia following the invasion of Ukraine. That said, the Russian side of the firm has received restructuring advice [10]directly from Putin's advisors when it decided to start making the split.
But Yandex Russia's close ties to the Putin regime have been growing for years, with the MIT Technology Review reporting in mid-2020 that relations between the firm and the Kremlin began to [11]grow closer during the COVID-19 pandemic, following the company's decision to give a state-owned bank veto power over transactions involving more than a quarter of the company's stock.
Hunted Labs cofounder Haden Smith told The Register that the ties are cause for concern.
[12]
"Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."
Open-source software security is a growing concern in the light of multiple high-profile [13]supply chain attacks in recent years, especially with foreign adversaries like Russia, China, and Iran [14]regularly testing the fortitude of US government systems, and [15]often with success .
US Defense Secretary Pete Hegseth said in a July [16]memo [PDF] that the Pentagon would no longer "procure any hardware or software susceptible to adversarial foreign influence." In theory, the Pentagon should want to remove fast-glob from its environment very quickly. Smith told us that his group shared the fast-glob research with the DoD three weeks ago. We asked the DoD what it plans to do about fast-glob but didn't hear back.
Smith declined to identify any of the DoD projects that use fast-glob.
[17]Kremlin goons caught abusing ISPs to spy on Moscow-based diplomats, Microsoft says
[18]Microsoft used staff in China to help babysit US govt cloud services, report says
[19]Law and water: Russia blamed for US court system break-in and Norwegian dam drama
[20]Poisoned Go programming language package lay undetected for 3 years
Hunted Labs said that the simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement.
"Open source software doesn't need a CVE to be dangerous," Hunted Labs said of the matter. "It only needs access, obscurity, and complacency," something we've noted [21]before is an ongoing problem for open source projects.
"This serves as another powerful reminder that knowing [22]who writes your code is just as critical as understanding what the code does," Hunted Labs concluded. ®
Updated Aug 27 at 21.15 GMT to reflect the Malinochkin's comments. His full statement is below:
The fast-glob project is a popular solution for searching files by patterns in the file system. For more than 7 years (since 2016), I have been developing and maintaining this project on my own. The project was started before I began working at Yandex, and its development or support has never been part of my professional duties at the company. I released this project as open source back in 2016, believing that it could be useful for developers, and I’m glad it has turned out that way.
The main purpose of my solution is to quickly find file system paths based on user-defined patterns. Due to its performance, it has become popular compared to other alternatives. It can be considered an analogue of the ls system utility is for the Node.js platform. The solution works entirely locally, has no networking capabilities, and does not spawn additional processes. Search patterns are defined by the user. Execution is also initiated and fully controlled by the user. All of this can be reliably verified by reviewing the distributed code via the package manager ( [23]https://www.npmjs.com/package/fast-glob?activeTab=code ) or on GitHub ( [24]https://github.com/mrmlnc/fast-glob ).
I maintain the project alone, as over the years the community has not expressed a need for more active participation. This is typical for infrastructure-level solutions that users don’t interact with directly. I am always open to community contributions. I’d also like to emphasize once again that both the source code and the distributed package are fully open and auditable by potential users.
To answer your question: nobody has ever asked me to manipulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity.
Get our [25]Tech Resources
[1] https://huntedlabs.com/popping-fast-globs-hood/
[2] https://github.com/mrmlnc
[3] https://www.mrmlnc.com/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK9_9dVLpITvPuNhV1AbIQAAAEM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9dVLpITvPuNhV1AbIQAAAEM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9dVLpITvPuNhV1AbIQAAAEM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9dVLpITvPuNhV1AbIQAAAEM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/07/16/yandex_divests_russian_assets/
[9] https://www.theregister.com/2023/08/11/arkady_volozh_denounces_ukraine_invasion/
[10] https://www.theregister.com/2022/12/05/yandex_signs_up_putin_ally/
[11] https://www.technologyreview.com/2020/08/19/1006438/yandex-putin-arkady-volozh-kremlin/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9dVLpITvPuNhV1AbIQAAAEM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/03/24/nation_state_supply_chain_attack/
[14] https://www.theregister.com/2025/03/05/china_silk_typhoon_update/
[15] https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
[16] https://media.defense.gov/2025/Jul/22/2003759081/-1/-1/1/ENHANCING-SECURITY-PROTOCOLS-FOR-THE-DEPARTMENT-OF-DEFENSE.PDF
[17] https://www.theregister.com/2025/07/31/kremlin_goons_caught_abusing_isps/
[18] https://www.theregister.com/2025/07/28/microsoft_china_staffers_us_govt_cloud/
[19] https://www.theregister.com/2025/08/14/law_and_water_russia_blamed/
[20] https://www.theregister.com/2025/02/04/golang_supply_chain_attack/
[21] https://www.theregister.com/2025/07/22/open_source_windows_security_opinion_column/
[22] https://www.theregister.com/2025/06/25/supply_chain_attacks_hammer_organizations/
[23] https://www.npmjs.com/package/fast-glob?activeTab=code
[24] https://github.com/mrmlnc/fast-glob
[25] https://whitepapers.theregister.com/
Re: Doesn't matter who wrote it
The idea of reading the code you download before deploying it to production, or indeed ever, is anathema to your average modern dev.
If you can't trust random strangers on the internet who can you trust?
This is not special
This library is no more an injection risk than any other. While the dev would theoretically be more easily coerced to poison it by the Russian government, the change would also be more obvious from a small library (therefore large code changes to add something malicious are more noticeable) and single developer. The problem is not that this little piece of open source code is written by someone in Russia; there's far more code written by people in Russia. The problem is loading code into anywhere sensitive without having some reason to think that it's secure or that there are precautions in place if it turns out not to be.
If Russia wants to do a supply chain attack, they have a lot of NPM modules they can choose. Many of them are much larger and not well-maintained, so if they can trick the one developer into accepting their updates, they could do similar things. They could easily decide that fast-glob looks like a nice one to do it to, unless articles like this one result in more scrutiny on that package or its removal. There's a lot more important aspects than a dev living in Russia to determining the risk or damage of that happening.
It's not that hard, really.
While I can't say anything about this particular package, I'd expect, as a developer who's worked in the Node.js ecosystem, that any sensible dev check installed npm packages (and yes, this doesn't only apply to npm) and which dependencies those packages have in turn, and so on. It's not rocket science, just basic code hygiene... Oh, you don't got time? Well, maybe don't use that sketchy package in your code, because it will cost you and your business more time when it gets pwned.
Of course, different developers have different security requirements on a project basis, but from my personal experience the projects I work on has very stringent security needs.
Re: It's not that hard, really.
And it seems like the DoD (for example) could, with only minimal effort, just as well use [1]Isaac Z. Schlueter 's (who wrote npm) [2]node-glob instead of some Russian, Chinese, North Korean, or Iranian software ...
[1] https://github.com/isaacs
[2] https://github.com/isaacs/node-glob
Did left-pad die in vain for us?
> Simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement.
The *only* other alternative?
Not, keeping a known copy in your own system? Along with the rest of the code you are relying on?
Not, gathering a group of Trustworthy True Red, White and Blue Pure Hearted US Patriots who can make a simple fork (and offer Malinochkin tech leadership rights, but take on anything more onerous or tedious wrt managing a popular package, to make life easier for him as well?)
Not, offering to help the sole developer who has the misfortune to write something useful for you ungrateful bastards? Oh no, Malinochkin has to take all the initiative.
Not only has nobody learnt anything from things like the [1]left-pad incident ?* but anyone who actually does something good as a sole dev is now to be a suspected security hole and it is all their fault!
* Oh, but Azer Koçulu - that doesn't sound like a white US male's name, he was suspect all along.
[1] https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
Doesn't matter who wrote it
Surely the vulnerability here is not that the code was written by someone you don't control, but rather that the general practice in the JS world (just pulling everything from "source" rather than taking a trusted, local copy) allows them to change it without you knowing.