Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead.
The attack relies on a small time difference in the return of a “404 Not Found” error when searching for a private compared to a non-existent package in the repository.
While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.
Comments are closed.