The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.
Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security.
Key Points:
The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive.
easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare.
Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software.
*Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved.
The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.
Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.
Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.
Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:
Exploited vulnerabilities have turned up in Ivanti products 16 times since 2024. That’s more than any other vendor in the network edge device space.
Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency and commits to sharing information with that goal in mind. While efforts by threat actors to exploit known vulnerabilities are not new, recent Fortinet investigations have discovered a post exploitation technique used by a threat actor. This blog offers analysis of that finding to help our customers make informed decisions.
We share actionable mitigation and detection strategies against IngressNightmare so you can protect against possible exploitation in runtime.
Apple has delivered a big batch of OS updates, some of which belatedly patch older versions of its operating systems to address exploited-in-the-wild flaws the iGiant earlier fixed in more recent releases.
GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities CVE-2024-4879 (Critical), CVE-2024-5217 (Critical), and CVE-2024-5178 (Medium). These vulnerabilities reportedly may be chained together for full database access.
Between late January and early March, Forescout Research – Vedere Labs identified a series of intrusions based on two Fortinet vulnerabilities. It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack.
In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations.
It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.
VulnCheck and partner GreyNoise discovered Zyxel-related vulnerabilities being targeted in the wild. In this blog, VulnCheck describes the vulnerabilities CVE-2024-40891 and CVE-2025-0890.
A new NCSC research paper aims to reduce the presence of ‘unforgivable’ vulnerabilities.
The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.
Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure.
These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
Kandji's Threat Research team performed an audit on the macOS diskarbitrationd & storagekitd system daemons, uncovering several (now fixed) vulnerabilities
A vulnerability categorized as “critical” in a photo app installed by default on Synology network-attached storage devices could give attackers the ability to steal data and worse.
Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.
14 new DrayTek router vulnerabilities, including critical flaws, could allow attackers to take control. Patch now
An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft's applications to gain their entitlements and user-granted permissions.
In collaboration with renowned security researcher Orange Tsai and DEVCORE, Akamai researchers have issued early-release remediations to Apache CVEs for our Akamai App & API Protector customers.
Tsai presented his research at Black Hat USA 2024 and outlined the details for many Apache HTTP Server (httpd) vulnerabilities that were recently patched.
Before his Black Hat presentation, the Akamai Security Intelligence Group (SIG) proactively contacted Tsai to facilitate the sharing of technique details for proactive defense for our customers.
App & API Protector customers who are in automatic mode have existing and updated protections.
