Not So Fast and Furious:

Popping Fast-Glob’s Hood

Solo maintainer poses supply chain risk to more than 5,000 software packages, including container images in Node.js and Department of Defense systems

Written by:

Hunted Labs

August 27, 2025

TL;DR

Fast-glob, a widely used Node.js utility designed to quickly find files and folders that match specific patterns, is maintained by a single developer working for Yandex, a Russian tech company that cooperates with requests from the Federal Security Service (FSB), Russia’s security and counterintelligence agency. The package has no known common vulnerabilities and exposures (CVEs); however, its status as a single-maintainer project—with no contributor oversight, poor security hygiene, and deep integration into thousands of software projects—makes it a high-risk dependency.

This package is at significant risk of falling under foreign ownership, control, and influence. We recommend its immediate removal from products, particularly those purchased or used by the U.S. Department of Defense or the Intelligence Community.

As the DoD cracks down on foreign influence in software, this serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does.

What is fast-glob?

Fast-glob is a software package used in Node.js environments to efficiently search for and match files using flexible pattern rules, a practice known as “globbing.” It supports synchronous, asynchronous, and streaming APIs, making it adaptable to the needs of various projects. The library supports inclusion and exclusion patterns, enabling precise file targeting. Fast-glob includes TypeScript type definitions out of the box, improving developer experience in typed environments. Its speed and feature set makes it a preferred alternative to older globbing libraries like node-glob.

Originally released in December 2016, fast-glob has been actively maintained and has gained widespread adoption within the JavaScript ecosystem. It is used in more than 5,000 public projects—including popular tools like Prettier—and currently receives more than 79 million downloads per week. Our investigation found it in more than 30 containers in approved DoD systems.

Who controls fast-glob?

Fast-glob’s creator and sole maintainer goes by the GitHub user name mrmInc and lists their name as Denis Malinochkin in their GitHub profile. On Malinochkin’s public profile and website, they claim to be an engineer at Yandex—a Russian technology company—living in Odintsovo, Russia, a Western suburb of Moscow.

Via the mrmInc profile, Malinochkin is a significant contributor and/or maintainer to projects that directly and indirectly support fast-glob, including:

@nodelib/fs.stat – which enables rapid retrieval of file and directory metadata (like size or modified time) using fs.stat and fs.lstat
@nodelib/fs.walk – which recursively walks through directories, collecting file paths and metadata
@nodelib/fs.scandir – which reads the contents of a directory (non-recursively), returning basic entry info like names and types
picomatch – a lightweight and glob pattern matching library for JavaScript, which converts glob patterns into efficient regular expressions
braces – a JavaScript library that expands or compiles brace patterns into arrays or regex, often used to generate lists of strings or match file paths

As a result of these contributions, mrmInc maintains a high degree of control over fast-glob’s functional dependencies, as well as commonly used alternatives.

POSSIBLE

RUSSIAN-STATE INFLUENCE

A solo maintainer based in an authoritarian country—characterized by a strong security service and limited human rights protections—poses a potential risk to the security and integrity of the package, especially one with the access and popularity of fast-glob. Furthermore, given their association with Yandex—a Russian technology company best known for Yandex Search, the most popular search engine in Russia—the developer is also more likely to encounter the FSB or state security individuals in their day-to-day duties and could be susceptible to coercion.

While Yandex, which also has ride-sharing services, navigation products, and other consumer mobile applications, is not currently sanctioned by the United States or European Union, great care must be taken when using technology produced by those within the company due to its close cooperation and ties to the Russian state and security agencies. Notably, in 2019, the company voluntarily gave state-owned and Kremlin-aligned Sberbank a golden share, allowing veto power over transactions involving more than 25% of Yandex stock. Since then, Yandex has increasingly cooperated with Russian data-sharing laws, exposing users and companies to possible State surveillance, reduced privacy, malicious code, and data breaches. During the first half of 2024, according to its own transparency report and additional public reporting, the company complied with 80% of the 36,540 requests from the Russian government to share data about its users—a 12% increase during the same timeframe in 2023.

Following the COVID-19 pandemic and Russia’s invasion of Ukraine, Yandex has continuously collaborated closely with the Kremlin, according to a report from the MIT Technology Review:

February 2020: A policeman accused of planting drugs on a journalist claimed he got the reporter’s address from Yandex Taxi.
April 2020: Reports emerged that Moscow might use Yandex to surveil foreign tourists via cell phone data. Yandex denied this.
April 2020: The company deleted critical comments about government buildings from Yandex Navigator.
April 2020: Searches for opposition leader Alexei Navalny returned mostly negative content, which Yandex called an “experiment.”

This points to a pattern of state influence in Russian technology companies, which we previously detailed in a threat report on easyjson, a Go package owned, maintained, and controlled by Russian developers.

What are the risks associated with using fast-glob?

Put simply, fast-glob offers both the solo maintainer and the Kremlin an opportunity to carry out a state-sponsored attack, especially given the open-source community’s tendency to blindly adopt projects with little to no information about the contributors behind them. We cannot overstate the risks.

While mnmInc has no current ties to any threat actors, the profile could be compromised with near-zero effort. Once that happens, mnmInc could push or be influenced to make updates to more than 5,000 projects without oversight from any other GitHub user. This would allow Russia attack vectors immediate access to thousands of known projects—not to mention an unknown number of undisclosed and private projects, including the entire Node.js community. A compromise of that magnitude could infiltrate and disrupt critical infrastructure across government, commercial, healthcare, and financial systems, not to mention the countless other vital industries that citizens around the world rely on every day.

Fast-glob has several possible attack vectors that could currently be exploited:

Fast-glob could act against the filesystem directly, allowing sensitive files to be accessed, such as environment variables and secure shell (SSH) keys
Denial-of-Service attacks are possible if the filesystem is extensive or forced by a malicious party
Glob-injection attacks can also be done to skip files during traversal or to exfiltrate data, and symbolic link following can be enabled by default to access unexpected parts of the filesystem and extract sensitive information
Kill-switch attacks could prevent downstream software from functioning
Malware could be injected into downstream software
Attacks could occur via filesystem access

And that’s just scratching the surface. Due to the extensive access fast-glob has to the file system, its threat size and opportunities to leverage many different types of attacks cannot be overstated.

At the time of writing, no CVEs have been filed against fast-glob.

How to replace or fix fast-glob

There’s no quick and easy solution to replacing or fixing fast-glob. The best option is for mrmInc to add additional maintainers and oversight to the project, with new maintainers known to the open source community and living in democratic societies. This is the simplest solution that immediately protects the millions of projects that use fast-glob.

Absent that, you could replace fast-glob with a similar project suitable for your needs; pin to the current version; fork and maintain a version for your organization; or work with us to audit and replace components in your codebase that may be subject to foreign influence.

Open Source Continues to be a Threat Vector

Open source software doesn’t need a CVE to be dangerous. It only needs access, obscurity, and complacency. Fast-glob is just another example of how foreign-controlled code can be embedded into the software we trust. As geopolitical tensions rise and cyber attacks become more sophisticated, surfacing these risks is a necessity.

For U.S.-based companies selling to the Department of Defense, the use of open-source projects like fast-glob or easyjson may prevent your software from passing the enhanced supply chain security measures that the Secretary of Defense outlined in a July 2025 DoD memo.

“The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department.”

For any company handling sensitive data that may be of interest to foreign governments, it is imperative to identify who is writing the open-source code embedded in your software and assess whether they pose a threat to your customers and mission. The stakes are simply too high to overlook this critical aspect of software security.

EasyJSON Threat Report: Foreign Influence Revealed - Download Now