Fast-glob, a widely used Node.js utility designed to quickly find files and folders that match specific patterns, is maintained by a single developer working for Yandex, a Russian tech company that cooperates with requests from the Federal Security Service (FSB), Russia’s security and counterintelligence agency. The package has no known common vulnerabilities and exposures (CVEs); however, its status as a single-maintainer project—with no contributor oversight, poor security hygiene, and deep integration into thousands of software projects—makes it a high-risk dependency.

This package is at significant risk of falling under foreign ownership, control, and influence. We recommend its immediate removal from products, particularly those purchased or used by the U.S. Department of Defense or the Intelligence Community.

As the DoD cracks down on foreign influence in software, this serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does.

Popping Fast-Glob’s Hood - Hunted Labs

Solo maintainer poses supply chain risk to more than 5,000 software packages, including container images in Node.js and Department of Defense systems

^{Lea Bourgade (Hunted Labs)}