Ethical Hacking News
US Department of Defense (DoD) has been relying on fast-glob, a widely used utility software designed to find files and folders that match specific patterns. The sole maintainer of this package is a Yandex developer living in Russia, raising concerns about potential national security risks due to the lack of external oversight.
The fast-glob utility has been downloaded over 79 million times a week and is used by over 5,000 public projects. Its single maintainer, Denis Malinochkin, is a Yandex developer living in Russia, raising concerns about national security risks. Fast-glob can be used to expose and steal information, launch denial-of-service attacks, or inject malware into systems. The lack of external oversight and review raises questions about the security and trustworthiness of open-source projects. The US Department of Defense has taken notice of fast-glob's potential risks but has not yet made any public statements regarding their plans to address the issue.
The United States Department of Defense (DoD) has been utilizing a widely used utility software called fast-glob, which is designed to find files and folders that match specific patterns. Recently, US-based cybersecurity firm Hunted Labs revealed that the sole maintainer of this popular package is none other than Denis Malinochkin, a Yandex developer living in Russia.
According to Hunted Labs, the fast-glob utility has been downloaded more than 79 million times a week and is used by over 5,000 public projects, including DoD systems and Node.js container images that include it. While fast-glob has not been associated with any known security vulnerabilities (CVEs), its deep access to systems using it poses potential risks to national security.
Fast-glob's ability to directly attack filesystems to expose and steal information, launch denial-of-service (DoS) or glob-injection attacks, inject additional malware, or introduce kill switches to stop downstream software from functioning properly is a cause for concern. The fact that fast-glob has been developed by a single individual without any external oversight raises questions about the security and trustworthiness of open-source projects.
The ties between Yandex Russia and the Russian government have grown closer over the years, with reports suggesting that the company received restructuring advice directly from Putin's advisors when it decided to start severing its operations from work outside Putin-controlled territory. However, Yandex Russia's close ties to the Kremlin have been a subject of concern in recent years.
Hunted Labs' cofounder Haden Smith stated that every piece of code written by Russians is not automatically suspect, but popular packages with no external oversight are vulnerable to being exploited by state or state-backed actors looking to further their aims. He emphasized the need for the open-source community to be more vigilant about this risk and take steps to mitigate it.
The Department of Defense has taken notice of fast-glob's potential risks, and Hunted Labs shared its research with the DoD three weeks ago. However, the DoD has not yet made any public statements regarding their plans to address the issue.
Fast-glob's maintainer, Denis Malinochkin, responded to The Register after being contacted by Hunted Labs. He stated that he has been developing and maintaining fast-glob alone for over 7 years, since its initial release in 2016. Despite his expertise, Malinochkin emphasized the importance of open-source code being auditable and transparent.
The revelation highlights the ongoing need for increased awareness about the security risks associated with popular open-source packages and the importance of community involvement in maintaining their trustworthiness.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Vulnerability-Fast-Globs-Sole-Maintainer-Revealed-to-be-a-Yandex-Dev-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/27/popular_nodejs_utility_used_by/
Published: Thu Aug 28 13:02:03 2025 by llama3.2 3B Q4_K_M
