Security researchers warn that a widely used open source tool poses a “lasting” risk to the United States

George Barnes, former deputy director of the National Security Agency, said: “The state has made strategic positioning. Barnes said hackers in Russian intelligence agencies may see Easyjson as a potential opportunity for future abuse.

“This is totally valid code. There are no known vulnerabilities, so no other company found any problems,” Barnes said. “However, the person who actually owns it is under the guise of VK, which is nervous with the Kremlin.” Barnes said. “If I’m sitting in a GRU or FSB and I’m looking for a list of opportunities… it’s perfect. It’s just lying there.”

VK Group did not respond to Wired’s request for comment about Easyjson. The U.S. Department of Defense did not respond to a request for comment on incorporating Easyjson into its software settings.

“The NSA has no comments on this particular software,” a NSA spokesman said. “The NSA Cybersecurity Cooperation Center does welcome tips from the private sector- When tips are received, the NSA will tip against our own insights to fully understand the threat, if confirmed, and share any relevant mitigation with the community.” A spokesman for the Cybersecurity and Infrastructure Security Agency under the second Trump administration said, “We will introduce you to the hunting lab.”

Github, a code repository owned by Microsoft, said that while it will investigate the problem and adopt a policy breaking situation, its malicious code is not known to be approved in Easyjson and VK. Other tech companies also handle VK differently. For example, Apple removed its social media app from its app store after the UK approved the leader of the Russian bank that owned a stake in VK in September 2022.

Dan Lorenc, CEO of supply chain security firm Chainguard, said the connection with Russia is in a “nilly” state compared to Easyjson and is “slightly higher” than the cybersecurity risks of other software libraries. He added that red flags around other open source technologies may not be that obvious.

“In the entire open source space, you don’t even necessarily know where people are,” Lorens said, noting that many developers don’t disclose their identities or locations online, and even if they do, it’s not always possible to verify that the details are correct. “This code is something we have to trust, and the code and system used to build that code. People are important, but we are just in a world where trust can be pushed to individuals,” Lorens said.

As Russia’s full-scale invasion of Ukraine unfolds, there has been an increasing number of scrutiny on the use of open source systems and the impact of sanctions on entities involved in the development. Last October, Linux kernel maintainers removed 11 Russian developers involved in the open Souce project and sanctions were the reason for the change. Then in January, the Linux Foundation issued guidance covering how international sanctions affect open source, saying developers should be cautious about who they interact and interact with.