- This Week on Absolute AppSec
- Posts
- Episode #287 w/ Hayden Smith
Episode #287 w/ Hayden Smith
Open Source Dependency Threats
Seth Law
June 13, 2025
How much should we worry about insecure open-source software widely used across the internet?
This week on Episode #287 of Absolute AppSec, we welcome back Seth Law (@sethlaw) and Ken Johnson (@cktricky) after a couple of weeks away. Hayden Smith has joined the hosts to discuss his professional background, as well as his work discovering and publicizing the EasyJson software supply chain threat. You can find the episode here, or wherever you get your podcasts.
Hayden Smith is a cybersecurity professional with a background in government contracting, open-source software security, and red/blue teaming. He began his career at Booz Allen Hamilton, working on cybersecurity assessments for the U.S. Air Force before joining Anchore, now known for Sift and Grype, where he focused on container security and open-source tooling. His work on DOD Platform One gave him firsthand experience with software supply-chain security. During these years, Hayden became acutely aware of the question of who actually maintains the software, initially seen as a curious but niche concern. Eventually, this question evolved into a core research and development focus, leading to Hayden co-founding Hunted Labs, a company dedicated to investigating software attribution, influence, and ownership risks in open-source ecosystems. You can find him on his LinkedIn.
“Open source is a national security issue.”
The bulk of this episode centers on EasyJson, a Go library used in many transitive dependencies, including via the OpenAI specification. Hunted Labs released a public report flagging concerning associations between its maintainers and Russian organizations with alleged ties to state-sponsored censorship and offensive cyber operations. Hayden clarifies that the investigation is not based solely on the geographic location of contributors. Instead, it combines multiple signals, such as corporate affiliations, public indictments, project ownership structures, and social network analysis, to assess risk. For example, the EasyJson project was hosted under a MailRu organization account, which is now part of VK, a company identified with Russian state security services. The Hunted Labs team identified connections between contributors and individuals under U.S. government sanctions for cyber operations, further deepening concerns. Despite these findings, Hayden stops short of recommending users immediately stop using EasyJson. Instead, he advocates for making informed decisions: that is, consider alternatives, monitor projects more closely, and integrate signals like OSSF scorecards and development hygiene into software risk management practices.
“I’m not saying you guys have to stop using EasyJson, but this is your risk picture right now. […] I think a lot of the open source community is taking action to try and solve that.”
The release of the EasyJson report triggered passionate responses across the security community. Some praised it as a necessary wake-up call for better transparency and risk modeling in open-source ecosystems. Others worried it would lead to overreactions or even xenophobia in open-source software consumption. The hosts and Hayden emphasize that the goal is not blanket distrust of contributors from certain regions, but rather a data-driven approach to understanding attribution and control. Ken notes that supply-chain risk has always included the question of who’s actually writing the code, but that now, with tooling like what Hunted Labs offers, teams have a chance to operationalize those questions with real data. There are many ongoing efforts that prove that the community is engaging seriously with the issue, such as the open issue in OpenAPI to remove EasyJson as a dependency. Hayden urges organizations to begin including attribution and control in their security reviews just as they do for vulnerabilities and SBOMs.
This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.
Beat the summertime blues with a nice Absolute AppSec T-shirt. Visit our merch store to pick your size.
Summertime bringing blue skies, and…Ts
And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, so you can join there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=9N6OX38QCmg - Episode #160 - Mental Health, Securing Open-Source - Interesting discussion of the EU-FOSSA initiative that put 200K behind bug-hunting reward program (now suspended) in Open-Source Software on the Intigriti platform.
https://www.youtube.com/watch?v=avuGmRCcVVA - Episode #93 - Huntr Team - Huntr Dev has evolved to focus a lot of their bug bounty platform on securing AI/ML ecosystems, but they still work to provide bug bounty rewards to secure certain OSS projects. Interesting discussion here on the topic.
https://www.youtube.com/watch?v=_ENIbLadfZQ - Episode #201 - Breaches, Package Managers, Audit Logs- What are the responsibilities of package managers in regards to disclosure and removal of packages that are discovered to be vulnerable.
Absolute AppSec Happenings
https://www.zeropartydata.es/p/localhost-tracking-explained-it-could - “‘Localhost tracking’ explained. It could cost Meta 32 billion.” - (Coming via Peter’s hat tip in the Absolute AppSec slack) Jorge García Herrero explains how Facebook finds you, and how that could now open the company up to even more penalties for things like GDPR violations.
https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign- “Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool” from Proofpoint. Entra IDs gathered by a user enumeration, password spraying attack, with some 80,000 ATOs as a result of the attack. Some IoCs in the article here for blue teams to dig through.
https://www.darkreading.com/application-security/poisoned-npm-packages-disguised-utilities-system-wipeout - “Poisoned npm Packages Disguised as Utilities Aim for System Wipeout” - A set of malicious packages whose backdoor isn’t looking for ransomware-style payouts but rather general destruction of systems. The threat follows along the lines of things like the easyJson attack discussed in this week’s episode.
Upcoming Events
Where in the world are Seth and Ken?
July 17-18, 2025 - Practical Secure Code Review - AI Enhanced - Given the recent demand, the duo returns with a virtual training with all the AI updates that continually evolve.
August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.