From Russia with doubt: Go library’s Kremlin ties stoke fear

Easyjson, a popular Go library for data serialisation, is raising eyebrows due to its connections with Russia’s VK Group, which reportedly has ties to state entities. Security firm Hunted Labs has flagged concerns about the library’s use in critical open-source projects and its implications for US government and private sector security.

Source: The Register

Key Points

The Easyjson library is maintained by developers linked to VK Group, potentially posing a security risk.
No malicious code has been discovered in the library, although its origins raise concerns for US organisations.
Hunted Labs has conducted a risk assessment on Easyjson due to its wide usage across popular projects such as Kubernetes and Grafana.
There are fears about state-sponsored manipulation of open-source software, likening it to a “sleeper cell” in tech systems.
The security posture of Easyjson has been called weak, scoring only 3.7 out of 10 on security checks.

Why should I read this?

If you’re involved in software development or manage cybersecurity for your organisation, this article brings to light the potential risks associated with seemingly innocuous open-source components. The discussions around Easyjson highlight the importance of scrutinising the origins and security measures of third-party software, especially in a landscape where geopolitical tensions can influence technology and data security. Don’t wait for an issue to arise—stay informed and ahead of the curve!