Table of Contents
Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.
Specifically, the security firm has discovered that an attacker armed with a list of package names may launch timing attacks to determine whether an organization has created specific NPM packages that are not publicly accessible.
Once they have identified the existence of a private package, the attacker can mount a supply chain attack by creating public packages that pose as legitimate packages and tricking employees and users into downloading them.
The issue, Aqua explains, resides in the ‘404 Not found’ error that NPM’s API responds with when an unauthenticated user sends a request to receive information about a private package.