Cybersecurity experts are warning that a widely used open-source software package may pose a persistent national security threat to the United States. The tool, called easyjson, is extensively deployed across US government systems and key sectors including finance, healthcare, and technology, according to new research from security firm Hunted Labs.
Easyjson, a Go package designed to optimize the serialization and deserialization of JSON data, is a critical dependency in numerous enterprise and cloud-native applications. It is used in software stacks involving Kubernetes, Helm, Istio, and other foundational cloud tools, many of which are used by the US Department of Defense and major American businesses.
Hunted Labs found that easyjson appears to be entirely maintained by developers based in Moscow, many of whom are employed by VK Group, formerly known as Mail.ru, one of Russia’s largest internet conglomerates. VK is controlled by Russian state-owned entities, and its CEO, Vladimir Kiriyenko, is under US and EU sanctions due to his ties to the Kremlin.
Kiriyenko, the son of one of President Vladimir Putin’s top aides, took the helm at VK in December 2021, shortly before Russia’s full-scale invasion of Ukraine. Since then, VK has increasingly aligned with the Russian government’s authoritarian posture.
Although easyjson has seen fewer updates in recent years — most development activity occurred prior to 2020 — its continued presence in key software stacks makes it a high-priority concern. Hunted Labs says that while it has not found evidence of malicious code in the current version, the project’s Russian control and high-value integration make it a potential vector for supply chain attacks.
“Russia doesn’t need to attack directly. By influencing state-sponsored hackers to embed a seemingly innocuous OSS project deep in the American tech stack, they can wait, watch, and pull strings when it counts. A well-placed backdoor or subtle bug could become the digital equivalent of a sleeper cell—with impact spanning from the Pentagon to your iPhone,” Hunted Labs said, noting that the package could be exploited as part of supply chain attacks, via a remote code execution (RCE), espionage, data exfiltration, and a kill switch activation.