The Single Point of Failure: A Russian Developer Maintains a Core Node.js Library
The fast-glob library—used in thousands of public Node.js projects and in more than thirty systems of the U.S. Department of Defense—has turned out to be the work of a single developer. Online profiles indicate that its sole author is Denis Malinochkin, a Russian programmer employed at Yandex.
This revelation was published by the American company Hunted Labs. Fast-glob is a utility for searching files and directories based on specified patterns. On GitHub, its creator uses the handle mrmlnc, and linked profiles and websites confirm his identity. Hunted Labs stressed that no connections between Malinochkin and any hacker groups have been discovered.
According to Hunted Labs, fast-glob is downloaded more than 79 million times per week and is employed in over 5,000 public projects, as well as in Node.js container images. With closed systems included, the actual number of dependent solutions could be far higher.
Although fast-glob currently has no registered vulnerabilities (CVEs), experts emphasize that the library’s extensive access to file systems makes it a theoretically attractive target for exploitation. Potential risks could include data theft, denial-of-service attacks, or malicious code injection.
Hunted Labs founder Hayden Smith warned that highly popular projects without external oversight may serve as convenient entry points for adversaries. He stressed that the open-source community must devote more attention to issues of trust and independent auditing.
Following the report’s publication, Malinochkin himself confirmed that he is indeed the sole author of fast-glob and has maintained it for more than seven years:
“Fast-glob is a popular solution for file system pattern-based search. Since 2016, I have been developing and maintaining it alone. The project was created before my work at Yandex and has never been connected to my professional duties. I released it as open source because I believed it would be useful for developers, and I am glad that this turned out to be true.”
He further stressed that fast-glob operates strictly locally and contains no network functions:
“The utility is fully under the user’s control: search patterns are defined by the user, and execution can be verified by reviewing the source code on GitHub or in the package manager. No one has ever asked me to embed hidden features, collect data, or alter the project. I firmly believe that open source is built on trust and diversity.”
Hunted Labs concluded that the simplest way to reduce risk would be to bring additional maintainers onto the project and ensure independent oversight. Without such measures, users may eventually be forced to seek alternatives to fast-glob.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
