Since February this year, Russia has seen a dramatic surge in malicious bookmarks embedded in open source code, with numbers increasing by about twentyfold according to a major cybersecurity firm. The report from Kommersant, citing a large security company, highlights a troubling trend in the software supply chain that could ripple through developers and businesses that rely on open source components.
Security researchers at Kaspersky Lab say they have identified one hundred malicious items in foreign open-source software since February. These bookmarks are scattered across various development repositories and are designed to insert provocative content or prompt a political action. The discovery underscores how attackers are abusing open source ecosystems to spread malicious payloads and complicate code review processes throughout the software supply chain.
Dmitry Shmoylov, head of the software security department at Kaspersky Lab, notes that the principal risk lies in the way these bookmarks can piggyback onto legitimate contributions. If an open-source project is tainted with bad elements, those same components can propagate into products that rely on earlier, unverified versions. This creates a danger not just for a single vendor but for every company that uses those open-source elements in its solutions.
Shmoylov emphasizes that failure to continuously verify the open-source code used across products can expose a broad set of users to risk. The concern is magnified when more than a hundred open-source solutions feature such bookmarks, potentially infecting a large share of programs deployed across organizations that depend on those components for critical operations.
Earlier reports indicated that this issue has been observed in Russia, where researchers have also encountered other forms of malware that spread through push notifications and other out-of-band channels. This evolving threat landscape calls for heightened vigilance in how open-source contributions are reviewed, tested, and integrated into enterprise software, with a focus on robust supply-chain security practices and proactive vulnerability management that can help protect users across North America and beyond as these threats migrate and adapt to new environments.