A critical piece of code used by the Department of Defence and millions of others is being maintained by a single Russian developer. So what, some argue: half the internet runs on someone’s side project. The stir in the cybersecurity community highlights concerns over the influence nation-states can exert on individual maintainers.
Security researchers at Hunted Labs recently highlighted “fast-glob,” a widely used Node.js utility for quick file and folder searches.
“Having a solo maintainer poses a supply chain risk to more than 5,000 software packages, including container images in Node.js and Department of Defense systems,” the report states.
“Our investigation found it in more than 30 containers in approved DoD systems.”
The dependency graph on GitHub reveals that this code is used by over 27 million repositories and receives 75 million downloads per week on NPM, a JavaScript package manager.
Hunted Labs reports that fast-glob maintainer mrmInc, or Denis Malinochkin, has been living in Moscow and working for Yandex, a Russian tech giant known to cooperate with the Russian government in tracking, censoring, and oppressing citizens.
And that’s a risk, “given the open-source community’s tendency to blindly adopt projects with little to no information about the contributors behind them.”
However, there are no signs that the developer has ever engaged in any wrongdoing.
The developer emphasized that he was never asked to manipulate the tool, introduce hidden changes to the project, or collect and share system data.
Malinochkin even reached out to the Register and explained that he has been developing fast-glob on his own since 2016, long before joining Yandex. The fully open-source project runs entirely locally, and anyone can check the code.
Half of the most popular code is “one person”
Josh Bressers, podcaster, blogger, and VP of Security at Anchore, stood up to defend the Russian developer.
“The software running THE WHOLE F*CKING PLANET is written by one person. In a country. But we have no idea which country. It’s not the same person, mind you, but it’s one person,” Bressers argues in a blog post.
“Almost all open source is literally one person.”
The expert backed the claim with data: of the 11.8 million open source projects tracked by ecosyste.ms, about 7 million are maintained by a single person. The actual figure will be even larger because four million projects have an unknown number of maintainers.
“It’s actually bigger than that,” Bressers said.
“A bunch of those will be one person.”
Single developer-maintained code comprises almost half of the most popular repositories on NPM.
“About half of the 13,000 most downloaded NPM packages are ONE PERSON,” the expert highlights.
Many solo developers also own more than a single package, and likely not many of them have the proper resources they might need.
Bresser argues that underpaid and overworked maintainers are the real supply chain risk, not the country they’re from.
“Let’s face it, the Russians aren’t dumb enough to backdoor a package owned by a guy living in Russia. They’re going to do something like pretend to be from another country with a name like Jia Tan, not Boris D. Badguy. This isn’t a Rocky and Bullwinkle episode.”
Maintainers aided by contributors, but risks remain
The discussion is gaining traction on Lobste.rs, a community-driven forum for programmers and tech professionals.
Computer scientist Kornel Lesinski argues that the number of maintainers is not the right measure of collaboration, because an average NPM dependency tree involves many different people. It’s more convenient to publish small, independent packages than to have multiple maintainers collaborate on a single monolithic library.
However, others expressed concerns that any code accessible to nation-states might be abused. The developers will not have many choices when faced with a secret court warrant.
“I have a very different level of faith in the Russian government than one person,” one developer said.
While many agree that the focus on a single maintainer might be overblown, cautious awareness of geopolitical or systemic risks remains.
Hunted Labs researchers admit that there’s no quick and easy solution to replacing or fixing fast-glob.
“The best option is for mrmInc to add additional maintainers and oversight to the project, with new maintainers known to the open source community and living in democratic societies. This is the simplest solution that immediately protects the millions of projects that use fast-glob,” Hunted Labs suggests.
Other alternatives include choosing a different tool or forking and maintaining a separate version of it.
However, the researchers also urge the immediate removal of fast-glob from products used by the US Department of Defense or the Intelligence Community. DoD has previously issued a memorandum directing that all tech must be validated as secure against potential supply chain attacks from China, Russia, and other adversaries.
Your email address will not be published. Required fields are markedmarked