Chinese, Russian, and North Korean-affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers, and governments around the world, according to findings released Monday by Strider Technologies.
The malicious insertions into these open-source tools could allow hackers to pilfer troves of sensitive data from governments and private-sector firms, according to Strider, which analyzed open-source code contributors who have direct affiliations with foreign adversaries.
Open-source projects — which underpin software systems used everywhere — rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers, who chat with one another about proposed changes.
Historically, community practices have operated under the premise that all contributors are benevolent. But that notion was challenged last February when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.
Strider, a strategy intelligence firm that tracks economic espionage, said it used an open-source software screening tool and identified handles with affiliations to countries like China and Russia.
In one case, more than 20% of the people who have contributed to openvino-genai — a code base that lets AI models run on consumer devices — have connections or work relationships that are considered national security risks, according to the research.
One contributor, “as-suvorov,” used to work for MFI Soft, a software company that the U.S. has sanctioned for its association with hardware and software development used for Russian intelligence collection. MFI Soft did significant work for the Department of Homeland Security’s Federal Protective Service, which gathers and analyzes foreign communications, according to Strider.
The second person, “sbalandi,” previously worked for Positive Technologies, a Russian IT company sanctioned by the U.S. in 2021 for helping with cyberattacks and supporting Russian government hackers.
Strider also analyzed treelib, a package in the Python programming language used to create data structures and visuals with tree plots that help explain connected information like file systems or family trees.
The treelib package on GitHub shows its widespread use, with some 878,000 downloads by the time Strider published its findings. According to Strider analysis, the treelib repository owner, “Chen,” has contributed 154 times to the package. But since 2022, Chen has worked at Alibaba Cloud, a Chinese cloud computing company known for collaborating with state-affiliated defense conglomerates and sharing code vulnerabilities with a Chinese government intelligence database.
Chen is also a researcher at Baiyulan Open AI, a Chinese state-backed organization that connects with open-source communities globally. Chen holds a PhD in Behavior Informatics from Shanghai Jiao Tong University, a Chinese university with research ties to the People’s Liberation Army and state-owned defense industry giants.
During his time at SJTU, Chen specialized in mobile data mining, researching public surveillance methods at a key Chinese state laboratory, and his research was funded by Chinese entities, including Huawei Technologies, according to Strider.
The company did not specify the sources and methods used to trace Chen and other malicious users to their professional roles and affiliations.
“Open source software platforms are the backbone of today’s digital infrastructure, yet in many cases it’s unclear even who is submitting the code,” Greg Levesque, CEO and co-founder of Strider, said in a statement. “In turn, nation-states like China and Russia are exploiting this visibility gap. Individuals are lying in wait, building credibility in the ecosystem with the power to introduce malicious code with devastating downstream effects.”
Over half of critical open source tools are underpinned by code that does not internally manage memory spillover risks, opening them up to potential exploitation by hackers, the Cybersecurity and Infrastructure Security Agency said last summer.
This week, seven teams will compete at the DEF CON hacker conference, where the Defense Advanced Research Projects Agency will evaluate their AI-powered systems designed to autonomously identify and patch vulnerabilities in open-source code.
