updated A Node.js utility used by thousands of public projects - and more than 30 Department of Defense ones - appears to have a sole maintainer whose online profiles identify him as a Yandex employee living in Russia.

US cybersecurity firm Hunted Labs reported the revelations on Wednesday. The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle "mrmlnc", and the Github profile associated with that handle identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A web site associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.

Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. Following publication, Malinochkin contacted The Register to confirm that he is the sole developer of fast-glob, and that he's never been approached by anybody to take any actions against it: "Nobody has ever asked me to mainpulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity," he wrote. (His full statement is at the end of this article.)

According to Hunted Labs, fast-glob is downloaded more than 79 million times a week and is currently used by more than 5,000 public projects in addition to the DoD systems and Node.js container images that include it. That's not to mention private projects that might use it, meaning that the actual number of at-risk projects could be far greater.

While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit. 

Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive. 

Yandex formally severed its Russian operations from its work outside Putin-controlled territory, and company's cofounder broke with Russia following the invasion of Ukraine. That said, the Russian side of the firm has received restructuring advice directly from Putin's advisors when it decided to start making the split. 

But Yandex Russia's close ties to the Putin regime have been growing for years, with the MIT Technology Review reporting in mid-2020 that relations between the firm and the Kremlin began to grow closer during the COVID-19 pandemic, following the company's decision to give a state-owned bank veto power over transactions involving more than a quarter of the company's stock. 

Hunted Labs cofounder Haden Smith told The Register that the ties are cause for concern. 

"Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."

Open-source software security is a growing concern in the light of multiple high-profile supply chain attacks in recent years, especially with foreign adversaries like Russia, China, and Iran regularly testing the fortitude of US government systems, and often with success. 

US Defense Secretary Pete Hegseth said in a July memo [PDF] that the Pentagon would no longer "procure any hardware or software susceptible to adversarial foreign influence." In theory, the Pentagon should want to remove fast-glob from its environment very quickly. Smith told us that his group shared the fast-glob research with the DoD three weeks ago.  We asked the DoD what it plans to do about fast-glob but didn't hear back. 

Smith declined to identify any of the DoD projects that use fast-glob.

• Kremlin goons caught abusing ISPs to spy on Moscow-based diplomats, Microsoft says
• Microsoft used staff in China to help babysit US govt cloud services, report says
• Law and water: Russia blamed for US court system break-in and Norwegian dam drama
• Poisoned Go programming language package lay undetected for 3 years

Hunted Labs said that the simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement.

"Open source software doesn't need a CVE to be dangerous," Hunted Labs said of the matter. "It only needs access, obscurity, and complacency," something we've noted before is an ongoing problem for open source projects. 

"This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does," Hunted Labs concluded. ®

Updated Aug 27 at 21.15 GMT to reflect the Malinochkin's comments. His full statement is below: