Attackers use npm timing attack to exploit private packages

Aqua security experts have uncovered a npm timing attack that reveals the names of private packages and allows attackers to trick developers into using malicious clones.

A timing attack is a vulnerability that allows an attacker to discover vulnerabilities in a local or remote system to extract potentially sensitive or secret information. This is done by observing the concerned system’s response time to various inputs.

In the case of npm, a registry API allows the user to download existing packages, verify the existence of packages, and obtain information about all packages to a certain extent.

According to researchers, the attack is based on a small time difference in the return of a “404 Not Found” error when searching for a private package compared to a non-existing package in the repository. Although the time difference is only a few hundred milliseconds, it is sufficient to determine whether a private package exists to perform package impersonation attacks.

Aqua Security discovered the npm timing attack using the nmp API to verify the existence of private packages they had created on npm and compared the response time of the 404 HTTP errors with API checks for non-existing packages.

Private packages are important because companies use them for internal projects and some software products, thereby reducing the risk of their development teams. However, they must be kept private, as attackers can create clones or typosquatted packages to get employees to download clones. In cases where the compromise is not detected, the cloned products could reach end users ending up as a supply chain compromise.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web