October 13, 2022

Aqua security experts have uncovered a npm timing attack that reveals the names of private packages and allows attackers to trick developers into using malicious clones.

A timing attack is a vulnerability that allows an attacker to discover vulnerabilities in a local or remote system to extract potentially sensitive or secret information. This is done by observing the concerned system’s response time to various inputs.

In the case of npm, a registry API allows the user to download existing packages, verify the existence of packages, and obtain information about all packages to a certain extent.

According to researchers, the attack is based on a small time difference in the return of a “404 Not Found” error when searching for a private package compared to a non-existing package in the repository. Although the time difference is only a few hundred milliseconds, it is sufficient to determine whether a private package exists to perform package impersonation attacks.

Aqua Security discovered the npm timing attack using the nmp API to verify the existence of private packages they had created on npm and compared the response time of the 404 HTTP errors with API checks for non-existing packages.

Private packages are important because companies use them for internal projects and some software products, thereby reducing the risk of their development teams. However, they must be kept private, as attackers can create clones or typosquatted packages to get employees to download clones. In cases where the compromise is not detected, the cloned products could reach end users ending up as a supply chain compromise.

The sources for this piece include an article in BleepingComputer.