Evacuating the Cyber Kill Zone: One Year After easyjson

Written By
Amanda Aguayo
on
May 5, 2026
Blog Image

In May 2025, we released our first threat report and sparked a reaction the industry couldn’t ignore—from an exclusive in WIRED to critics coming out of the woodwork to defend the status quo. The report identified easyjson, a library powering the core of the Go ecosystem, as a potential software supply chain risk. The open source package is controlled by engineers at Mail.ru and VK Group (collectively known as VK), Moscow-based entities whose CEO, Vladimir Kiriyenko, is currently sanctioned by the United States and European Union.

A year later, we’re looking back at how the report transformed the Cyber Kill Zone from a provocative theory to an industry-wide reality, triggering an evident mass exodus throughout OSS.


What is the Cyber Kill Zone?

To understand why removing the easyjson library is a strategic advantage for defenders, you have to understand the Cyber Kill Zone. Unlike the "Kill Chain," which describes the steps of an attack already in progress, the Cyber Kill Zone is about pre-positioning.

Adversaries pre-position themselves by embedding their influence within foundational libraries and infrastructure that everyone trusts. This could involve maintaining control over a project like easyjson, for instance and then waiting for a tactical moment to exert control, gain visibility, or execute an attack.

We saw an aggressive example of pre-positioning with the Axios attack just a few weeks ago. By hijacking a trusted update stream, threat actors pre-positioned malicious code directly into thousands of build pipelines. As a result, they were able to transform a standard maintenance patch into a forward-deployed weapon, sitting silently on the target’s infrastructure long before the first signal was ever sent.

To counter the Cyber Kill Zone, defenders cannot be reactive. They must identify compromised territory and maneuver their organization to trusted ground before the adversary acts. Put simply, their only defense is to take proactive action.

Evidence of the Maneuver: The Great Withdrawal

Over the last 12 months, we’ve witnessed what we call “The Great Withdrawal” across the OSS ecosystem. Projects or organizations are making strategic and disciplined decisions to move their assets away from compromised positions and toward favorable and secure ones. It isn’t frantic, but an informed and calculated adjustment intended to preserve sovereignty and eliminate long-term risk.

Here are just a few examples of this withdrawal in action across the most critical projects in the Go ecosystem:

Project Name Role in Ecosystem Tactical Result Reference Link
go-openapi/swag OpenAPI Foundation Refactor: Replaced easyjson templates with native Go encoding/json logic. Issue #68
swaggo/swag API Documentation Dependency Drop: Fully purged from go.mod; bumped Go version to leverage 1.24+ optimizations. PR #2108
marshmallow Struct Conversions Logic Shift: Decoupled marshalling from the mailru fast-pathto standard library fallback. Issue #32
kube-openapi Kubernetes Toolchain Upstream Sync: Forced a version bump across the K8s ecosystem to "clean" downstream binaries. K8s-OpenAPI
jsonschema Schema Validation Toolchain Update: Switched internal validation generation to use more secure, modern encoders. Issue #182


go-openapi/swag issue #68 closed.

We Refuse to Be Passive

This past year has been marked by a shift toward an aggressive and proactive defensive posture. Our mission—Protect the Hunted—is rooted in this very idea: being reactive is a losing game.

In 2025, we assumed the role of a scout, identifying new threats that were creeping into attack surfaces. Today, we’re seeing the impact: software supply chains that are increasingly leaner, more transparent, and significantly harder to compromise. 

The Cyber Kill Zone is no place to be, and we're here to escort you out.

Didn’t get a chance to review the easyjson report yet? Download the Original easyjson Threat Report Here.

Want to jumpstart identifying threats like easyjson within your code? Take a Deep Dive with DepsDiver.

Cta ImageCta Image

Your Hunt Starts Now

Learn how DepsDiver and Entercept help organizations investigate and defend their software supply chains and critical systems.