Imagine discovering that a tiny, efficient piece of code running inside thousands of U.S. Department of Defense systems—along with software in finance, healthcare, and critical infrastructure—is maintained primarily by developers in Moscow, linked to a Russian tech giant whose leadership is under U.S. sanctions.

That’s exactly the scenario unfolding around easyjson, an open-source serialization tool for the Go programming language. There’s no evidence of malicious code today. No backdoors, no vulnerabilities—just clean, performant software. Yet, its ties to VK Group (formerly Mail.ru), whose CEO is the son of a top Putin aide and is himself under U.S. sanctions, have set off alarm bells across the cybersecurity community.

Is this a case of unfair profiling based on nationality? Or is it a sober, necessary acknowledgment of modern software supply chain risk?

Let’s break it down.

The “Trojan Horse” Fear: A Legitimate Concern?

The worry isn’t that easyjson is malicious right now. It’s what it could become.

We’ve seen this movie before. The SolarWinds attack in 2020 saw Russian intelligence slip malicious code into a legitimate software update, compromising U.S. government agencies and Fortune 500 companies. The NotPetya ransomware, attributed to Russian military hackers, spread globally by hijacking a Ukrainian software update, causing billions in damages.

In the world of open source, a single maintainer—or a compromised account—can introduce subtle changes that turn a trusted library into a weapon. The recent XZ Utils backdoor incident showed how a trusted contributor can slowly introduce malicious code over time, nearly compromising SSH security worldwide.

Easyjson isn’t some niche package. It’s deeply embedded in the cloud-native ecosystem. If a future update included malicious logic, it could exfiltrate data, disrupt operations, or serve as a “kill switch” in critical systems—all under the guise of a routine dependency update.

Given that Russian military cyber units are actively targeting U.S. and NATO critical infrastructure—often using open-source tools themselves—the concern isn’t paranoia. It’s strategy.

Or Unfair Suspicion? The Other Side of the Argument

On the flip side, open source has always been a global effort. Judging code—or coders—by their passport undermines the collaborative, meritocratic ethos that built the internet as we know it.

There’s no evidence that the developers behind easyjson have any ill intent. In fact, security researchers describe the code as “totally efficient.” Many talented Russian developers contribute to open source with no political agenda—they’re solving technical problems, just like their peers in Silicon Valley or Berlin.

Sanctions also create a gray area. While VK’s CEO is sanctioned, VK Group itself is not. That puts organizations in a difficult position: are they expected to blacklist every developer affiliated with a company in a rival nation? What about Chinese contributors? Iranian? Where does it end?

If we start excluding developers based on nationality, we risk fragmenting the open-source community and losing valuable contributions—all while creating a false sense of security.

The Bigger Picture: It’s Not About One Library

Easyjson is just the tip of the iceberg. A recent study found that 90% of software products managing the U.S. power grid contain code from Russian or Chinese developers. Software with code from these nations was 2.25x more likely to contain vulnerabilities—not because of malice, but often due to less rigorous review processes.

The problem isn’t necessarily the developers—it’s the systemic lack of oversight in open-source supply chains. Many critical projects are under-maintained, under-funded, and run by small teams whose identities and motivations are hard to verify.

We’re building critical systems on a foundation of trust—without always knowing who we’re trusting.

So What’s the Solution?

We can’t—and shouldn’t—stop using open source. But we can be smarter about how we use it:

Embrace Software Bills of Materials (SBOMs): Know what’s in your software. An SBOM acts like an ingredient list, making it easier to spot risky dependencies.
Shift from Trusting People to Trusting Process: Use tools that verify how code was built, signed, and reviewed—not just who wrote it.
Fund and Maintain Critical Projects: Governments and corporations should invest in the security of widely used open-source projects, ensuring they have diverse, accountable maintainers.
Practice “Risk-Informed” Decision Making: Not all open-source code carries the same risk. Evaluate dependencies based on criticality, maintenance status, and affiliation.

Where Do You Stand?

The easyjson situation forces us to confront an uncomfortable truth: in a world of geopolitical rivalry, open source can be both a engine of innovation and a vector of risk.

Is it fair to scrutinize a developer based on nationality? Maybe not. But is it prudent to scrutinize software based on its geopolitical context and potential for harm? Absolutely.

The line between caution and discrimination is thin. But in cybersecurity, assuming good faith without verifying security is a luxury we can’t always afford.

What do you think? Is the open-source community facing a new era of balkanization, or is this simply responsible risk management?

References:

https://www.wired.com/story/easyjson-open-source-vk-ties/
https://www.herodevs.com/blog-posts/easyjson-security-concerns-and-the-open-source-supply-chain
https://www.fortressinfosec.com/hubfs/A%20Software%20Supply%20Chain%20Dependent%20on%20Adversaries%202024.pdf
https://www.darktrace.com/blog/breaking-down-nation-state-attacks-on-supply-chains
https://media.defense.gov/2024/Sep/05/2003537870/-1/-1/0/CSA-Russian-Military-Cyber-Target-US-Global-CI.PDF

Easyjson's Geopolitical Risk: Open Source Code and National Security Concerns