Fast-glob is a Node.js utility that finds files and folders matching patterns. The maintainer uses the handle "mrmlnc" and online profiles identify him as Yandex developer Denis Malinochkin living in a Moscow suburb. Fast-glob is downloaded more than 79 million times weekly and is used by over 5,000 public projects plus more than 30 Department of Defense projects and Node.js container images. Attempts to contact the identified maintainer were unsuccessful and no ties to threat actors were found. The utility's deep system access creates multiple potential supply-chain attack vectors including filesystem exfiltration, DoS, injection, kill switches, and malware insertion.
The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle "mrmlnc", and the Github profile associated with that handle <a target="_blank" rel="nofollow" href="">identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A web site associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.
Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. The Register was unable to contact Malinochkin to confirm his identity or his role as the sole developer of fast-glob. We attempted to get in touch through an email address found on another website associated with the same name, but did not hear back.
While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit. Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive.
Collection
[
|
...
]