Технологический Болт Генона

В РФ сейчас достаточно популярна тема со SBOM и вообще контролем зависимостей, потому что много каких зависимостей из open source оказывали и могут оказать деструктивное влияние так сказатб 🌝

Но тут случилось ВНЕЗАПНОЕ1!11!. Hunted Labs озаботились зависимостями, которые тянутся в проекты и обнаружили российский след (полный PDF-отчёт скину в комменты). Более того, как они пишут, отказаться от этой зависимости сложно. Речь о easyjson (https://github.com/mailru/easyjson)

What is easyjson?

Easyjson is a Go package designed to optimize JSON serialization and deserialization processes by generating Go code for JSON encoding and decoding. Widely adopted across cloud-native ecosystems, it is a critical dependency for numerous open source and enterprise projects. This includes high-performance JSON handling in distributed systems, real-time data serialization for financial and analytics platforms, and optimization of cloud-native applications.

Who maintains easyjson?

A group of developers from VK, an entity with leadership that is under active U.S. and E.U. sanctions and has connections to Russian security services.

Who is impacted?

Cornerstones of the modern software supply chain and cloud-native tools have dependencies on easyjson, and all applications that pull in these dependencies could potentially be impacted, including, but not limited to:

- Helm
- Istio
- Kubernetes

How could this be weaponized or exploited?

Russia doesn’t need to attack directly. By influencing state-sponsored hackers to embed a seemingly innocuous OSS project deep in the American tech stack, they can wait, watch, and pull strings when it counts.

The Russian Open Source Project That We Can’t Live Without
https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/

По ссылке подробно расписано как и зачем они занимались исследованием зависимостей и к чему пришли

Hunted Labs has provided exhaustive evidence regarding this advisory to the U.S. government and relevant stakeholders. So, what’s next? 

The widespread use of easyjson makes finding a solution challenging. However, we cannot continue to blindly rely on this package due to the state of the current threats to our increasingly fragile software supply chain.

Мне понравилась заключительная фраза в статье

> Oh, and we haven’t even talked about China…yet.

Сколько же их ещё открытий ждёт 🌝

😁86💊22👍5💯4🌭2🐳1🖕1

www.tgoop.com/tech_b0lt_Genona/5315

7.94K viewsMay 6 at 20:19

В РФ сейчас достаточно популярна тема со SBOM и вообще контролем зависимостей, потому что много каких зависимостей из open source оказывали и могут оказать деструктивное влияние так сказатб 🌝

Но тут случилось ВНЕЗАПНОЕ1!11!. Hunted Labs озаботились зависимостями, которые тянутся в проекты и обнаружили российский след (полный PDF-отчёт скину в комменты). Более того, как они пишут, отказаться от этой зависимости сложно. Речь о easyjson (https://github.com/mailru/easyjson)

What is easyjson?

Easyjson is a Go package designed to optimize JSON serialization and deserialization processes by generating Go code for JSON encoding and decoding. Widely adopted across cloud-native ecosystems, it is a critical dependency for numerous open source and enterprise projects. This includes high-performance JSON handling in distributed systems, real-time data serialization for financial and analytics platforms, and optimization of cloud-native applications.

Who maintains easyjson?

A group of developers from VK, an entity with leadership that is under active U.S. and E.U. sanctions and has connections to Russian security services.

Who is impacted?

Cornerstones of the modern software supply chain and cloud-native tools have dependencies on easyjson, and all applications that pull in these dependencies could potentially be impacted, including, but not limited to:

- Helm
- Istio
- Kubernetes

How could this be weaponized or exploited?

Russia doesn’t need to attack directly. By influencing state-sponsored hackers to embed a seemingly innocuous OSS project deep in the American tech stack, they can wait, watch, and pull strings when it counts.

Hunted Labs has provided exhaustive evidence regarding this advisory to the U.S. government and relevant stakeholders. So, what’s next? 

The widespread use of easyjson makes finding a solution challenging. However, we cannot continue to blindly rely on this package due to the state of the current threats to our increasingly fragile software supply chain.

BY Технологический Болт Генона