Lying in Wait: New Strider Report Finds High-Risk Contributors Connected to Adversarial Nation-States in Open Source Software Ecosystems
Press Releases
Strider
First-of-its-kind research demonstrates that individuals with affiliations to risky Russian and PRC entities are contributing code into critical software supply chains
Salt Lake City, UT (August 4, 2025) – Strider Technologies, Inc. ("Strider"), the leading provider of strategic intelligence, today published a new report documenting how individuals with direct affiliations to nation-state adversaries are active contributors to popular open source software (OSS) ecosystems. The presence of state-sponsored cyber threat groups on OSS platforms, such as GitHub, demonstrates the nature of the new era of geopolitical risk confronting organizations.
Strider’s report—Lying in Wait: Understanding the Contributors Behind Open Source Code—details how OSS platforms are increasingly weaponized by advanced persistent threat (APT) groups at the contributor level. Through subtle code contributions, the insertion of backdoors, and the exploitation of trusted software components, these actors can embed threats into software pipelines used by corporations, developers, and governments alike.
“Open source software platforms are the backbone of today’s digital infrastructure, yet in many cases it’s unclear even who is submitting the code,” said Greg Levesque, CEO and Co-Founder of Strider. “In turn, nation-states like China and Russia are exploiting this visibility gap. Individuals are lying in wait, building credibility in the ecosystem with the power to introduce malicious code with devastating downstream effects. Our research reveals that a focus on who contributes the code, in addition to what the code does, is imperative for organizations to make informed decisions about the trustworthiness of their systems.”
State-sponsored cyber threat groups, like APT41 (PRC), Lazarus Group (North Korea), and Cozy Bear (Russia), have exploited OSS platforms to further their governments’ strategic objectives. These actors have become active contributors who subvert the openness of these platforms to infiltrate the software supply chain, steal sensitive data, and enable long-term cyber-espionage campaigns. Several high-profile incidents in recent years—such as the Python Package Index (PyPl) supply chain attack, the Log4Shell vulnerability exploitation, and the XZ Utils backdoor incident—illustrate this trend.
Using its new open source software screening capability, Strider analyzed contributors to popular OSS repositories. This analysis identified handles with direct affiliations to nation-state actors from China, Russia, and Iran. Anecdotes include:
- More than 21% of the contributors to openvino-genai were flagged with affiliations and work relationships that present nation-state security threats. This includes two active contributors that were tied to several high-risk, nation-state ecosystems.
- The openvino-genai repository sits at the heart of modern AI inference workflows, containing the code making it possible to run generative AI models on consumer-grade devices.
- The OpenVINO toolkit is increasingly popular, having been downloaded more than one million times and appearing in 62 downstream projects.
- One of the active contributors (“as-suvorov”) was formerly employed as a full-stack developer at U.S.-sanctioned software company MFI Soft.
- MFI Soft has conducted a significant amount of work on behalf of the Federal Protective Service's (FSO) Special Communications Service, a cryptologic intelligence agency responsible for the collection and analysis of foreign communications and signals intelligence.
- Another active contributor (“sbalandi”) was formerly employed by Positive Technologies, a Russian information technology firm that was sanctioned by the U.S. in 2021 for facilitating malicious cyber operations and supporting Russian government cyber actors.
- The OpenVINO toolkit is increasingly popular, having been downloaded more than one million times and appearing in 62 downstream projects.
- MFI Soft has conducted a significant amount of work on behalf of the Federal Protective Service's (FSO) Special Communications Service, a cryptologic intelligence agency responsible for the collection and analysis of foreign communications and signals intelligence.
The full report can be found here. Information on Strider’s Open Source Software Search tool can be found here.
About Strider
Strider is the leading strategic intelligence company empowering organizations to secure and advance their technology and innovation. Leveraging cutting-edge AI technology alongside proprietary methodologies, Strider transforms publicly available data into critical insights. This increased intelligence enables organizations to proactively address and respond to risks associated with state-sponsored intellectual property theft, targeted talent acquisition, and third-party partners. Strider has operations in 15 countries around the globe with offices in Salt Lake City, Washington, DC, London, and Tokyo.