An attack method that reveals the names of special packages has been identified by Aqua Security researchers. Organizations create internal projects and custom packages of certain software products to keep their code and functionality private to minimize the risk of their development teams and inventories being exposed to targeted attacks.

The detected attack method includes a timing attack using the npm API. The npm Register API allows users to download existing packages and check for the existence of packages. When using the npm registry to download a package that does not exist or is set as private, the website returns a 404 HTTP error code stating that the package could not be found.

npm timing attacks — Figure 1:404 Not Found: No response to an API request on npm

Aqua Security researchers used this feature to compare the response time of 404 HTTP errors with non-existent packets to check for the presence of custom packets they created in npm. As a result of the results obtained, it was observed that the response time to the request containing the name of an existing package was longer than the response time to the request made for the non-existent package. Therefore, threat actors can learn whether the package exists in the system through dictionary attacks by creating a list of possible package names for special packages used by institutions/organizations.

reponse time npm — Figure 2: Time for the app to respond to five requests

After detecting the private packages of the organizations, the threat actors can create fake malicious packages with the same name and trick the public/organizational employees into downloading them. It is predicted that such an attack could be linked to wider supply chain attacks. In this context, it is recommended to take the following security measures in order to reduce the risk of attacks that can be carried out using the said method.

Organizations should take preventive measures by frequently searching npm for suspicious packages that spoof their custom packages with similar names,
Because npm doesn’t allow same-named packages to be installed in public repositories, organizations should create public packages that emulate their private packages as placeholders,
If similar packages are found, it should be ensured that they do not contain malware, and relevant stakeholders should be informed.