New Timing Attack Against NPM Registry API Could Expose Private Packages

2022-10-13 12:00

A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats.

The Scoped Confusion attack banks on analyzing the time it takes for the npm API to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

The idea, ultimately, is to identify packages internally used by companies, which could then be used by threat actors to create public versions of the same packages in an attempt to poison the software supply chain.

The latest findings are also different from dependency confusion attacks in that it requires the adversary to first guess the private packages used by an organization and then publish phony packages with the same name under the public scope.

As preventive measures, it's recommended that organizations routinely scan npm and other package management platforms for lookalike or spoofed packages that masquerade as the internal counterparts.

"If you don't find public packages similar to your internal packages, consider creating public packages as placeholders to prevent such attacks," Kadkoda said.

News URL

https://thehackernews.com/2022/10/new-timing-attack-against-npm-registry.html

#API #attack #NPM