Critical Open Source Easyjson Library Fully Controlled by Russian Company

A new investigation by cybersecurity firm Hunted Labs has uncovered that “easyjson,” a pivotal open source software library, is entirely owned, maintained, and controlled by software developers employed by VK Group (formerly Mail.ru), one of Russia’s largest internet conglomerates based in Moscow.

VK Group is not only majority controlled by Russian state-owned entities but also includes leadership figures currently under active U.S. and E.U. sanctions for state connections and alleged security service cooperation.

Easyjson is a Go programming language package purpose-built to streamline JSON serialization and deserialization by generating efficient Go code for encoding and decoding tasks.

This optimization is essential for high-performance distributed systems, real-time analytics, and numerous cloud-native applications.

Hunted Labs reports that easyjson is not only widely integrated into U.S. Government IT systems and Fortune 500 companies, but also forms a critical dependency in core Cloud Native Computing Foundation (CNCF) projects such as Helm, Istio, and Kubernetes.

Advanced threat analysis using Hunted Labs’ Entercept platform, designed to flag foreign ownership and control in software, identified easyjson as a potential vector for supply chain risk.

The investigation revealed that over 85% of its commits originate from Russian contributors, all linked to VK Group.

Given the breadth of its integration, any compromise in easyjson could disrupt or endanger the backbone of global cloud infrastructure.

Trusted Open Source Software

Although easyjson’s role as a code serializer traditionally grants it a degree of isolation, the nature of its integration makes it difficult to monitor, remove, or replace.

Once embedded, such libraries are implicitly trusted by downstream dependencies, making them ideal targets for covert exploitation.

Potential attack scenarios range from remote code execution through malicious deserialization bugs to the installation of backdoors for large-scale compromise, targeted espionage, data exfiltration, or even remote-trigger kill switches.

Unlike direct assaults, a compromised open source dependency can operate as a digital sleeper cell: dormant and undetected until activated, with the potential to ripple through both private and public sector systems.

VK, through its flagship platform Vkontakte, dominates the Russian internet landscape and is widely reported to collaborate with Russian security services, particularly in the context of censorship, surveillance, and information operations, especially regarding the ongoing Ukraine conflict.

Its state ownership via Gazprom Media and compliance with Kremlin-mandated censorship strengthen the argument that VK-operated technologies could serve strategic national interests, not just commercial objectives.

The revelation that a Moscow-based team, employed by a state-linked and internationally sanctioned corporation, maintains such a high-value component within the American and global software supply chain raises critical questions about the adequacy of vetting and risk management in open source dependency adoption.

The investigation began with a reverse-engineered dependency hunt across over 2,500 open source and containerized software images.

Hunted Labs’ researchers used dependency mapping and threat search tools to discover and confirm the widespread use of easyjson, first flagged by its high concentration of contributions from VK Group’s Moscow office.

Subsequent deep scans found easyjson embedded in thousands of open source and enterprise projects, many serving as pillars of today’s cloud-native infrastructure.

Ownership analysis and repository forensics traced governance and maintenance back to VK Group, confirming the extent of foreign-specifically Russian-control.

This discovery exposes a critical blind spot in the broader tech industry’s reliance on open source codebases.

While international collaboration is a hallmark of open source innovation, the unchecked integration of code maintained by entities affiliated with sanctioned or adversarial states poses systemic supply chain security risks.

Hunted Labs emphasizes that organizations must intensify efforts to audit, vet, and monitor key dependencies to mitigate the risks of inadvertent exposure to foreign influence and potential attack vectors.

The findings underscore the urgent need for supply chain transparency and the development of robust safeguards to protect foundational digital infrastructure from adversarial manipulation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates