In a letter to National Cyber Director Sean Cairncross, Sen. Tom Cotton, R-Ark., detailed his concerns about Russia and China contributing to the open-source software ecosystem.
The open-source software ecosystem underpins American software systems, including Department of War software, Cotton said.
"Historically, such a framework has pulled in talent from around the world to build projects that have become ubiquitous, foundational technology," Cotton said.
"Unfortunately, there are reports that state-sponsored software developers and cyber espionage groups have started to exploit this communal environment, which assumes that contributors are benevolent, to insert malicious code into widely used open-source codebases," he said.
Last year, an intentionally planted back door was discovered in XZ Utils, a critical open-source tool.
Jia Tian, the actor behind the code, spent years building credibility and waiting for the right moment, Cotton wrote.
A Russia-based developer is the sole maintainer of fast-glob, another piece of open-source software embedded in software packages in the Department of War, raising alarms about potential compromises, the senator warned.
Chinese conglomerates such as Alibaba and Huawei are ranked in the top 20 contributors worldwide in the most recent Open Source Contributor Index.
"The Chinese Communist Party's (CCP) national security laws impose broad obligations on China-based entities, including compelling companies to provide technical assistance to further CCP goals," Cotton wrote.
He said that leaving our reliance on open-source software unmonitored exposes America to increasingly dangerous risks, noting that Secretary of War Pete Hegseth released a memo declaring that the Pentagon "will not procure any ... software susceptible to adversarial foreign influence ... and must prevent such adversaries from introducing malicious capabilities into the products and services utilized by the Department."
Cotton wrote to Cairncross, "As the Office of the National Cyber Director holds responsibility for coordinating implementation of national cyber policy and government-wide cybersecurity, you are well-positioned to lead the U.S. government in addressing this cross-cutting vulnerability."
"I respectfully request that you take steps to build up the federal government's capability to maintain awareness of provenance and foreign influence on OSS and track contributions from developers in adversary nations," he added.
Sam Barron ✉
Sam Barron has almost two decades of experience covering a wide range of topics including politics, crime and business.
© 2025 Newsmax. All rights reserved.