Defense Department Reportedly Relies On Utility Written by Russian Dev (theregister.com)
- Reference: 0178898214
- News link: https://tech.slashdot.org/story/25/08/27/2026245/defense-department-reportedly-relies-on-utility-written-by-russian-dev
- Source link: https://www.theregister.com/2025/08/27/popular_nodejs_utility_used_by/
> US cybersecurity firm Hunted Labs reported the revelations on Wednesday. The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle "mrmlnc", and the Github profile associated with that handle [3]identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A [4]website associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.
>
> Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. According to Hunted Labs, fast-glob is downloaded more than 79 million times a week and is currently used by more than 5,000 public projects in addition to the DoD systems and Node.js container images that include it. That's not to mention private projects that might use it, meaning that the actual number of at-risk projects could be far greater.
>
> While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit. Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive. [...] Hunted Labs cofounder Haden Smith told The Register that the ties are cause for concern. "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it." [...]
>
> Hunted Labs said that the simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement. "Open source software doesn't need a CVE to be dangerous," Hunted Labs said of the matter. "It only needs access, obscurity, and complacency," something we've noted before is an ongoing problem for open source projects. This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does," Hunted Labs concluded.
[1] https://www.theregister.com/2025/08/27/popular_nodejs_utility_used_by/
[2] https://huntedlabs.com/popping-fast-globs-hood/
[3] https://github.com/mrmlnc
[4] https://www.mrmlnc.com/
known Russians covert Russians (Score:2)
A named person with a verifiable location and employment is less likely to turn malicious than an unnamed (ie, fake named) one. And, devs who intend to plant a time/logic bomb (in a sanely distributed piece of software) or a simple rug pull (in node.js or docker) will use a proxy in a less suspect part of the world.
Heck, I myself offered a bunch of Cuban guys at a conference a VPN they could use for Github (which bans Cuba as an "evil" country); in the end, they went with someone else who has better ping t
Paranoid (Score:4, Insightful)
Their issue is really that there is little to no security with these packages. The code is fine now, but just like every other package it could be altered. The only novel thing is that he's Russian.
I somehow doubt he will be interested in adding more developers to make them happy. Someone could fork it, but that doesn't solve any security issues. Just not being Russian doesn't mean anything really.
Re: (Score:3)
> Just not being Russian doesn't mean anything really.
By the same token, just being Russian doesn't mean anything really.
Re: Paranoid (Score:2)
7zip is another program that might be at risk.
Think about an offer you can't refuse.
Re: (Score:3)
> Their issue is really that there is little to no security with these packages. The code is fine now, but just like every other package it could be altered.
For anything where security is a consideration, you should always vet included 3rd party code, and maintain an internal "known good" repository to draw from.
Yes, this means you have to update (and re-verify) code in your internal repository regularly to avoid discovered flaws. Modern tools like GIT make this a lot easier than it used to be. It still takes effort and diligence.
It is just part of the cost of security. You can choose not to be secure. Or you can do the work.
Re: (Score:2)
> his means you have to update (and re-verify) code in your internal repository regularly
It's the Pentagon, where people still encounter servers with the admin password being something trivial as P@ssw0rd1
Re: (Score:1)
> Someone could fork it, but that doesn't solve any security issues.
Someone could fork it and be less likely to decide (or be forcibly persuaded) to inject some subtle vulnerabilities in the future.
Re: (Score:2)
Yes, unfortunately while the issue is more prominent with NodeJS packages, it is inherently pretty bad all around, including with Python and Go.
For Go there was a recent ssh hacking package that was phoning the results home, so if you tried to test your own infrastructure you would gracefully share the results with hackers. Google does provide a global go mod proxy which should help filter some of the bad packages but I doubt they are capable of validating every single source, especially since most Go modul
Re: (Score:2)
Articles like this are why The Register is a joke amongst professionals in the field. This is a company using the media to create a PR stunt to drive business, and they are content to be complicit. ALL packages that you don't audit are to be untrusted - it doesn't matter _where_ they come from. Developers in the US and UK can easily be pressed to make code injections under existing national security laws. It doesn't matter _where_ code comes from, it matters if you're stupid enough to run it without aud
No ties to any threat actor (Score:2)
Until now. Now the threat actors are aware of this vulnerability, I'm sure they're looking closely at this guy.
Entitled much? (Score:4, Insightful)
"As a whole, the open source community should be paying more attention to this risk and mitigating it."
So, if I'm understanding this right, the solution is for more people to work for free so I can just blindly grab whatever; not for the people already getting their software for nothing to care even slightly about their dependencies?
Nationalism comes to open source (Score:2)
So, how's that whole connect the world via the internet and hope people get over their differences thing been working out?
Mistakes were made (Score:2)
I am fully aware of the limitations that made node.js seem like a good idea.
I will get down voted hard, but the problems occured when somebody decided that they wanted to run javascript for a core piece of software. The fact other people piled onto it just compounded the problem.
If you need a thing - you write the software for it. Javascript is probably 30 years old now, but it is still a bad decision.
It is exactly equal to all things container. Sure the idea of a discrete blob that isolates a thing is g
Re: (Score:2)
Every time I have the displeasure of seeing a project with hundreds (literally) of javascript dependencies where you don't have the slightest chance to check whether each of them is safe to use in a timely manner, I completely agree with you.
Re:The ultimate in racism (Score:4, Insightful)
Apparently it's OK to be racist in the US when the target of your hate is Russian, Venezuelan, Iranian, or Chinese. Sometimes North Korean, but the rules keep changing.
Re: (Score:2)
[Citation Needed]
The simplest solution (Score:1)
The actual simplest solution is not for this maintainer to take on additional maintainers and "oversight". The simplest solution is for him to ignore all this and continue maintaining his project however he sees fit. People who release software as open source do not suddenly gain an obligation to mitigate perceived risks or follow corporate policies from their downstream users. This is just another iteration of managers yelling at open source volunteers for not responding to their bug reports in the way
PR stunt by idiots (Score:3)
They "discovered" a fact which was public on github for 5 years. If they were actually interested in cybersecurity they'd be sounding the alarm about the lack of trust of packages in general (obviously projects with tens of maintainers have never had security issues from within.......). This is a PR stunt by a firm that has little expertise and a lot of political pull (management of Mark Esper, among others). All they're doing is using the media to gin up business that they're obviously very bad at.
Cheap PR stunt and rehash. (Score:2)
These are all issues that have been hashed and rehashed for decades. These guys are just ginning up free PR hoping to get some name recognition and business.
just npm-fund with trumps CC card! (Score:1)
just npm-fund with trumps CC card!