The open source project 'Easyjson' is being developed in Russia, and is also used by the US Department of Defense and other organizations, posing a major risk to national security.



Security company Hunted Labs has warned that the open source Go language library '

Easyjson ' was developed by VKontakte (VK) , an IT company that cooperates with the Russian government and is known for having a CEO who is subject to Western sanctions. The library is also widely used by U.S. government agencies and major companies, and therefore poses a very high risk of being misused as a potential 'digital sleeper cell.'

The Russian Open Source Project That We Can't Live Without - Hunted Labs
https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/

From Russia with doubt: Go library's Kremlin ties stoke fear • The Register
https://www.theregister.com/2025/05/06/from_russia_with_doubt_go/

Easyjson is a Go package designed to optimize the process of JSON serialization and deserialization. It has become widespread across the cloud-native ecosystem, and is an essential library for a variety of open source projects and enterprise software, including Kubernetes .



In a report published on May 5, 2025, Hunted Labs noted that Easyjson was developed by VK, a social media company also known as the 'Russian version of Facebook.'

'Even without direct intervention from the Russian government, state-sponsored hackers could sneak seemingly harmless open source projects deep into America's tech stack, allowing them to monitor and manipulate American systems. These sophisticated backdoors and bugs could become the digital equivalent of sleeper cells, affecting everything from the Pentagon to personal iPhones,' Hunted Labs said in the report.

VK is a major technology company used by 95% of Russian internet users. It has ties to the Russian government through the state-owned gas company

Gazprom and is also known for being run by Vladimir Kiriyenko , the son of Russian government official Sergei Kiriyenko, who is under sanctions from the EU, the UK and the US.

Hunted Labs emphasized that VK in particular has been accused of censoring content in support of the Russian government in the wake of Russia's ongoing invasion of Ukraine in 2022, and that it is important to note that it is a social media platform used to monitor and censor dissidents on behalf of the state.



Previously, Easyjson was hosted on the GitHub account of Mail.ru , a VK-owned email company. Hunted Labs' investigation found that Russian contributors control the repository and are responsible for over 85% of all commits.

While no malicious code has been found in the Easyjson library, the discovery of a backdoor in the compression library XZ Utils has raised concerns about the weaponization of open source projects created by developers with ties to governments of countries at odds with the liberal camp.

'To be clear, we're not saying that everyone operating out of Russia or China is bad,' said Hayden Smith, co-founder and chief technology officer at Hunted Labs. 'The bottom line is that we should think seriously about software developed by people affiliated with organizations that have been involved in questionable activity against the United States in the past.'

in Software,   Security, Posted by log1l_ks