"New Timing Attack Against npm Registry API Could Expose Private Packages"

A novel timing attack against the npm's registry Application Programming Interface (API) can potentially be used to reveal private packages used by organizations, thus putting developers at risk of supply chain threats. Threat actors can detect organizations' scoped private packages and then masquerade public packages, tricking employees and users into downloading them by creating a list of possible package names, according to Aqua Security researcher Yakir Kadkoda. The Scoped Confusion attack compares the time it takes the npm API to return an HTTP 404 error message when querying for a private package to the response time for a non-existent module. According to Kadkoda, it takes less time to receive a response for a private package that does not exist than it does for a private package that does. The goal is to identify corporate packages that could be used by threat actors to create public versions of the same packages in an attempt to poison the software supply chain. The latest findings differ from dependency confusion attacks in that the adversary must first guess the private packages used by an organization before publishing fake packages with the same name under the public scope. Dependency confusion, also known as namespace confusion, relies on the fact that package managers look for a package in public code registries before private registries, resulting in the retrieval of a higher version package from the public repository. This article continues to discuss the Scoped Confusion attack.

THN reports "New Timing Attack Against npm Registry API Could Expose Private Packages"