Russian Firm Controls Key Easyjson Code Used Globally

A widely used open-source Go library, Easyjson, is under the exclusive control of developers based in Moscow who are affiliated with VK Group, a major Russian tech conglomerate, according to researchers at Hunted Labs. The JSON serialization tool is deeply embedded in critical infrastructure, including Kubernetes, Helm and Istio, raising concerns over software supply chain security.

More than 85% of code contributions to the Easyjson repository have been traced to VK Group engineers. The company, formerly Mail.ru, is controlled by Russian state-backed entities and is subject to U.S. and EU sanctions.

Easyjson’s role in encoding and decoding sensitive data in financial and cloud-native systems heightens the risk. Although no malicious activity has been detected, experts warn that the library’s privileged access could be exploited for covert data exfiltration. Suggested mitigations include forking the project or transitioning to alternative tools maintained by more transparent and geographically diverse communities.