Widely used Easyjson tool tied to Russia’s VK poses national security risk, researchers say

Widely used Easyjson tool tied to Russia’s VK poses national security risk, researchers say

Cybersecurity experts are warning that a widely used open-source software package may pose a persistent national security threat to the United States. The tool, called easyjson, is extensively deployed across US government systems and key sectors including finance, healthcare, and technology, according to new research from security firm Hunted Labs.

Easyjson, a Go package designed to optimize the serialization and deserialization of JSON data, is a critical dependency in numerous enterprise and cloud-native applications. It is used in software stacks involving Kubernetes, Helm, Istio, and other foundational cloud tools, many of which are used by the US Department of Defense and major American businesses.

Hunted Labs found that easyjson appears to be entirely maintained by developers based in Moscow, many of whom are employed by VK Group, formerly known as Mail.ru, one of Russia’s largest internet conglomerates. VK is controlled by Russian state-owned entities, and its CEO, Vladimir Kiriyenko, is under US and EU sanctions due to his ties to the Kremlin.

Kiriyenko, the son of one of President Vladimir Putin’s top aides, took the helm at VK in December 2021, shortly before Russia’s full-scale invasion of Ukraine. Since then, VK has increasingly aligned with the Russian government’s authoritarian posture.

Although easyjson has seen fewer updates in recent years — most development activity occurred prior to 2020 — its continued presence in key software stacks makes it a high-priority concern. Hunted Labs says that while it has not found evidence of malicious code in the current version, the project’s Russian control and high-value integration make it a potential vector for supply chain attacks.

“Russia doesn’t need to attack directly. By influencing state-sponsored hackers to embed a seemingly innocuous OSS project deep in the American tech stack, they can wait, watch, and pull strings when it counts. A well-placed backdoor or subtle bug could become the digital equivalent of a sleeper cell—with impact spanning from the Pentagon to your iPhone,” Hunted Labs said, noting that the package could be exploited as part of supply chain attacks, via a remote code execution (RCE), espionage, data exfiltration, and a kill switch activation.

Back to the list

Latest Posts

Cyber Security Week in Review: May 16, 2025

Cyber Security Week in Review: May 16, 2025

In brief: Microsoft, Fortinet, Ivanti, and Google patch zero-days, crypto exchange Coinbase reveals a data breach, and more.
16 May 2025
Russia-linked espionage operation targeting webmail servers via XSS flaws

Russia-linked espionage operation targeting webmail servers via XSS flaws

The campaign exploits XSS vulnerabilities in widely used webmail servers to steal sensitive data from high-value targets.
15 May 2025
Kosovo man extradited to US for running BlackDB.cc criminal marketplace

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

If convicted on all counts, Masurica faces up to 55 years in federal prison.
14 May 2025