Chinese National Linked to Malicious Open-Source Code Contributions
WASHINGTON – A Chinese national, identified as chen, has been linked to the submission of malicious code into widely used open-source software projects, according to cybersecurity firm Strider Technologies. The revelation raises concerns about the potential for nation-state actors to compromise critical digital infrastructure through the exploitation of open-source vulnerabilities.
Strider researchers reportedly traced Chen to his professional affiliations, revealing his past role as a student at Shanghai Jiao Tong University (SJTU) in China. During his studies, Chen specialized in mobile data mining and conducted research on public surveillance techniques at a key state laboratory. his research was financially supported by Chinese entities, including technology giant Huawei Technologies.
The firm did not disclose the specific methods used to identify Chen and other potentially malicious contributors, citing the need to protect its investigative techniques.however, Strider emphasized the inherent risks within the open-source ecosystem, where the identities of code contributors are often obscured.
“Open source software platforms are the backbone of today’s digital infrastructure, yet in many cases it’s unclear even who is submitting the code,” said Greg Levesque, CEO and co-founder of Strider, in a statement. “In turn, nation-states like China and Russia are exploiting this visibility gap. Individuals are lying in wait, building credibility in the ecosystem with the power to introduce malicious code with devastating downstream effects.”
The vulnerability of open-source software is further highlighted by a recent Cybersecurity and Infrastructure Security Agency (CISA) report, which found that over half of critical open-source tools contain code susceptible to memory safety issues. These vulnerabilities could allow hackers to exploit software and gain unauthorized access to systems. CISA’s assessment, released in June 2024, specifically points to the prevalence of memory-unsafe code as a significant risk.
In response to these growing threats, the Defense Advanced Research Projects Agency (DARPA) is sponsoring a competition at the DEF CON hacker conference in Las vegas, Nevada, scheduled for August 2025. Seven teams will participate, showcasing AI-powered systems designed to automatically detect and remediate vulnerabilities within open-source code. The goal is to develop automated solutions that can proactively address security flaws before they are exploited by malicious actors. DARPA has allocated $15 million to the “Secure Open Source Software” (SOS) program, which underpins this competition.
The incident involving Chen underscores the increasing sophistication of cyberattacks targeting the open-source supply chain. Experts warn that the lack of clarity in open-source development makes it difficult to identify and mitigate risks, potentially leaving critical infrastructure vulnerable to compromise. The ongoing DARPA competition and similar initiatives are aimed at bolstering the security of open-source software and protecting against future attacks.
