from Pro@programming.dev to cybersecurity@sh.itjust.works on 27 Aug 18:16
https://programming.dev/post/36421568
cross-posted from: programming.dev/post/36420260
Fast-glob, a widely used Node.js utility designed to quickly find files and folders that match specific patterns, is maintained by a single developer working for Yandex, a Russian tech company that cooperates with requests from the Federal Security Service (FSB), Russia’s security and counterintelligence agency. The package has no known common vulnerabilities and exposures (CVEs); however, its status as a single-maintainer project—with no contributor oversight, poor security hygiene, and deep integration into thousands of software projects—makes it a high-risk dependency.
This package is at significant risk of falling under foreign ownership, control, and influence. We recommend its immediate removal from products, particularly those purchased or used by the U.S. Department of Defense or the Intelligence Community.
As the DoD cracks down on foreign influence in software, this serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does.
threaded - newest
It’s funny. I’ve been relying on Yandex for all my pirate stream and torrent searches, because they’re not nearly as locked down as Google or Bing.