Department of Defense is Relying on Russian-Maintained Node.js Tool

A recent report by cybersecurity firm Hunted Labs has drawn attention to the US Department of Defense’s (DoD) reliance on fast-glob, a Node.js utility maintained by a single developer based in Russia.

The Register’s Brandon Vigliarolo writes that the utility, which helps locate files by pattern matching, is embedded in thousands of public projects and DoD systems, making its stewardship and ties to Russia an issue of concern.

Fast-glob is widely adopted, with over 79 million weekly downloads, integration into more than 5,000 public projects, and extensive private use.

Its maintainer, Denis Malinochkin, a Yandex employee residing near Moscow, confirmed he is the sole developer. He denies being asked to manipulate the project.

Malinochkin emphasized that the Node.js code is fully open source, auditable, and free of networking or hidden functions.

Hunted Labs noted that open-source software is particularly susceptible to supply chain risks when maintained by individuals without external oversight.

The firm linked its concerns to Russia’s long-standing ties between Yandex and the Kremlin, though it found no evidence connecting Malinochkin to any threat actor.

The Department of Defense, despite receiving Hunted Labs’ findings weeks before publication, has not indicated how it plans to respond. Security experts stress that potential risks exist regardless of whether malicious intent is proven.

Legal teams can track the issues raised by this revelation, among them software supply chain liability, vendor selection, and compliance with government restrictions on foreign-influenced technology.

It also illustrates the growing need for contractual safeguards, due diligence in technology procurement, and careful oversight of widely used open-source components.