Sole Maintainer of Popular Node.js Utility Raises Security Concerns
2025-08-28
A Node.js utility, fast-glob, used by thousands of public projects and over 30 Department of Defense systems, is maintained solely by a Yandex employee residing in Russia. While fast-glob has no known vulnerabilities, its deep system access and the maintainer's affiliation with Yandex raise serious security concerns. Hunted Labs' report highlights the utility's 79+ million weekly downloads, exposing a vast attack surface. This incident underscores the critical importance of open-source security and the need to know who writes your code.
Tech
geopolitical risk