Report: Russia-based Yandex employee oversees open-source software approved for DOD use

A Russia-based Yandex employee is the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense, raising potential risks of covert data exfiltration through sensitive digital tools used by the U.S. military, according to research first seen by Nextgov/FCW.

The tool, dubbed fast-glob, helps software developers operate on groups of files without having to write extra code, making it the preferred method for quickly searching and organizing project files.

It’s used in over 5,000 projects worldwide and is downloaded some 70 million times per week, according to the findings out Wednesday from software supply chain security firm Hunted Labs.

The maintainer is listed as Denis Malinochkin. As of publishing time, there is no known malicious code inside fast-glob, according to Hayden Smith, a Hunted Labs co-founder, who added that Malinochkin appears innocuous, though his standing as the only maintainer of the popular software package raises red flags.

“A project that is that popular should not be maintained by just one person,” he said. “[Even] if you take all the geolocation and geopolitical atmospherics and you remove those … having a solo maintainer for a project you critically depend on is extremely risky.”

The DOD’s Office of the Chief Information Officer, which advises the defense secretary on information technology, was alerted to the matter about three weeks ago, Smith added. Nextgov/FCW has reached out to the DOD, the Defense Information Systems Agency and Defense Counterintelligence and Security Agency for comment.

The fast-glob package is listed inside Platform One’s Iron Bank, the Pentagon’s vetted repository of software building blocks used by the U.S. military’s software developers and contractors to craft digital tools and applications, according to multiple people familiar with the matter. The people were granted anonymity to be candid about its use inside DOD software systems.

Yandex is a major Russian technology company that has been found to have extensive ties to the Kremlin and has promoted misinformation about Russia’s war in Ukraine.

The set-up, as is, could allow the Kremlin to carry out a state-sponsored intrusion into multiple projects that rely on fast-glob and force Malinochkin to make malicious, surreptitious changes without oversight from other users. Malinochkin is “more likely to encounter [Russia’s Federal Security Service] or state security individuals in their day-to-day duties and could be susceptible to coercion,” the report says. 

In an email sent to Nextgov/FCW, Malinochkin said that he has been developing and maintaining fast-glob for over seven years, which began prior to his employment at Yandex. He said the tool’s source code is fully open and auditable by potential users and that its development or support has never been a part of his professional duties in his current job.

“Nobody has ever asked me to manipulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity,” he wrote.

In July, Secretary of Defense Pete Hegseth signed a memorandum directing the Defense Department to “not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the department.”

That memo came after ProPublica reported Microsoft had relied on China-based engineers to support its cloud services for the DOD. Microsoft has since severed those arrangements. 

Open-source projects rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers.

Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.

“If you’re a nation state … you have a bunch of stuff that you’re doing fast, but you have other stuff that you’re doing very methodically, slowly or positioning strategically.” said George Barnes, the former deputy director of the National Security Agency.

Russia’s state-centered economy also allows the Kremlin to compel firms to act on behalf of the nation’s interest, including the use of hacking and disinformation campaigns. Yandex is one of several major domestic tech companies that the Russian government can heavily rely on, Barnes said.

“This piece of code has no known vulnerabilities. It’s ubiquitously leveraged and used globally, and it happens to have one maintainer sitting in Russia, and the [maintainer] might be totally fine,” he added, but “that situation subordinates him to a legal framework that’s not in his control.”

Barnes is now a president at Red Cell Partners, an incubation firm that lists Hunted Labs among its portfolio companies.

Chinese, Russian and North Korean-affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly-available software used by countless organizations, developers and governments around the world, according to findings from Strider Technologies released earlier this month.

Russia has continued broad cyber activities despite recent U.S. efforts to bring the Kremlin to the negotiating table with Ukraine. An FSB-linked group has attempted to spy on foreign embassies in Moscow by targeting local internet and telecom infrastructure used by diplomatic personnel, Microsoft said in late July.

Editor's note: This article has been updated to include comment from Denis Malinochkin.