Report: Russia-based Yandex employee oversees open-source software approved for DOD use

Report: Russia-based Yandex employee oversees open-source software approved for DOD use

Briefly

A Russia-based Yandex employee is the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense, raising potential risks of covert data exfiltration through sensitive digital tools used by the U.S. military, according to research first seen by Nextgov/FCW. The tool, dubbed fast-glob, helps software developers operate on groups of files without having to write extra code, making it the preferred method for quickly searching and organizing project files.

The maintainer, listed as Denis Malinochkin, did not immediately return a request for comment via a Yandex email address registered to his personal webpage. As of publishing time, there is no known malicious code inside fast-glob, according to Hayden Smith, a Hunted Labs co-founder, who added that Malinochkin appears innocuous, though his standing as the only maintainer of the popular software package raises red flags.

The DOD's Office of the Chief Information Officer, which advises the defense secretary on information technology, was alerted to the matter about three weeks ago, Smith added. Nextgov/FCW has reached out to the DOD, the Defense Information Systems Agency and Defense Counterintelligence and Security Agency for comment. The fast-glob package is listed inside Platform One's Iron Bank, the Pentagon's vetted repository of software building blocks used by the U.S. military's software developers and contractors to craft digital tools and applications, according to multiple