In May 2025, we released our first threat report and sparked a reaction the industry couldn’t ignore—from an exclusive in WIRED to critics coming out of the woodwork to defend the status quo. The report identified easyjson, a library powering the core of the Go ecosystem, as a potential software supply chain risk. The open source package is controlled by engineers at Mail.ru and VK Group (collectively known as VK), Moscow-based entities whose CEO, Vladimir Kiriyenko, is currently sanctioned by the United States and European Union.
A year later, we’re looking back at how the report transformed the Cyber Kill Zone from a provocative theory to an industry-wide reality, triggering an evident mass exodus throughout OSS.
To understand why removing the easyjson library is a strategic advantage for defenders, you have to understand the Cyber Kill Zone. Unlike the "Kill Chain," which describes the steps of an attack already in progress, the Cyber Kill Zone is about pre-positioning.
Adversaries pre-position themselves by embedding their influence within foundational libraries and infrastructure that everyone trusts. This could involve maintaining control over a project like easyjson, for instance and then waiting for a tactical moment to exert control, gain visibility, or execute an attack.
We saw an aggressive example of pre-positioning with the Axios attack just a few weeks ago. By hijacking a trusted update stream, threat actors pre-positioned malicious code directly into thousands of build pipelines. As a result, they were able to transform a standard maintenance patch into a forward-deployed weapon, sitting silently on the target’s infrastructure long before the first signal was ever sent.
To counter the Cyber Kill Zone, defenders cannot be reactive. They must identify compromised territory and maneuver their organization to trusted ground before the adversary acts. Put simply, their only defense is to take proactive action.
Over the last 12 months, we’ve witnessed what we call “The Great Withdrawal” across the OSS ecosystem. Projects or organizations are making strategic and disciplined decisions to move their assets away from compromised positions and toward favorable and secure ones. It isn’t frantic, but an informed and calculated adjustment intended to preserve sovereignty and eliminate long-term risk.
Here are just a few examples of this withdrawal in action across the most critical projects in the Go ecosystem:
.png)
This past year has been marked by a shift toward an aggressive and proactive defensive posture. Our mission—Protect the Hunted—is rooted in this very idea: being reactive is a losing game.
In 2025, we assumed the role of a scout, identifying new threats that were creeping into attack surfaces. Today, we’re seeing the impact: software supply chains that are increasingly leaner, more transparent, and significantly harder to compromise.
The Cyber Kill Zone is no place to be, and we're here to escort you out.
Didn’t get a chance to review the easyjson report yet? Download the Original easyjson Threat Report Here.
Want to jumpstart identifying threats like easyjson within your code? Take a Deep Dive with DepsDiver.

