Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.
Specifically, the security firm has discovered that an attacker armed with a list of package names may launch timing attacks to determine whether an organization has created specific NPM packages that are not publicly accessible.
Once they have identified the existence of a private package, the attacker can mount a supply chain attack by creating public packages that pose as legitimate packages and tricking employees and users into downloading them.
The issue, Aqua explains, resides in the ‘404 Not found’ error that NPM’s API responds with when an unauthenticated user sends a request to receive information about a private package.
Regardless of whether the package has existed or not, the response is the same, but the message is served much faster if the package never existed. However, the attacker would need to send multiple consecutive requests to notice the difference in response timings.
“If a threat actor sends around five consecutive requests for information about a private package then analyzes the time taken for npm to reply, it is possible for them to determine whether the private package in fact exists,” Aqua notes.
In fact, by analyzing the time it takes for the NPM API to deliver the ‘404 Not found’ message, an attacker could determine the existence of the package (whether it has existed and is now deleted or exists) versus if it was never created.
“Due to this, we can assume that this flaw is embedded in the architecture of the API and is a result of the caching mechanism,” Aqua notes.
An attacker looking to exploit this in the wild would first need to perform a dictionary or a guessing attack, search for public packages that were deleted when taken private, or they would need to map all packages on NPM that do not have public packages, and create fake malicious packages with the same names.
Next, the attacker could use the list to mount a timing attack to identify private packages and, if no public NPM packages with the same names exist, could create their own packages to mount supply chain attacks.
Aqua says it has reported the issue to GitHub, which determined that the behavior is in line with the NPM API’s architecture and that timing attacks cannot be prevented.