Attackers use npm timing attack to exploit private packages

Share post:

Aqua security experts have uncovered a npm timing attack that reveals the names of private packages and allows attackers to trick developers into using malicious clones.

A timing attack is a vulnerability that allows an attacker to discover vulnerabilities in a local or remote system to extract potentially sensitive or secret information. This is done by observing the concerned system’s response time to various inputs.

In the case of npm, a registry API allows the user to download existing packages, verify the existence of packages, and obtain information about all packages to a certain extent.

According to researchers, the attack is based on a small time difference in the return of a “404 Not Found” error when searching for a private package compared to a non-existing package in the repository. Although the time difference is only a few hundred milliseconds, it is sufficient to determine whether a private package exists to perform package impersonation attacks.

Aqua Security discovered the npm timing attack using the nmp API to verify the existence of private packages they had created on npm and compared the response time of the 404 HTTP errors with API checks for non-existing packages.

Private packages are important because companies use them for internal projects and some software products, thereby reducing the risk of their development teams. However, they must be kept private, as attackers can create clones or typosquatted packages to get employees to download clones. In cases where the compromise is not detected, the cloned products could reach end users ending up as a supply chain compromise.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways