The detected attack method includes a timing attack using the npm API. The npm Register API allows users to download existing packages and check for the existence of packages. When using the npm registry to download a package that does not exist or is set as private, the website returns a 404 HTTP error code stating that the package could not be found.Figure 1:404 Not Found: No response to an API request on npmAqua Security researchers used this feature to compare the response time of 404 HTTP errors with non-existent packets to check for the presence of custom packets they created in npm. As a result of the results obtained, it was observed that the response time to the request containing the name of an existing package was longer than the response time to the request made for the non-existent package. Therefore, threat actors can learn whether the package exists in the system through dictionary attacks by creating a list of possible package names for special packages used by institutions/organizations.Figure 2: Time for the app to respond to five requestsAfter detecting the private packages of the organizations, the threat actors can create fake malicious packages with the same name and trick the public/organizational employees into downloading them. It is predicted that such an attack could be linked to wider supply chain attacks. In this context, it is recommended to take the following security measures in order to reduce the risk of attacks that can be carried out using the said method.
Organizations should take preventive measures by frequently searching npm for suspicious packages that spoof their custom packages with similar names,
Because npm doesn’t allow same-named packages to be installed in public repositories, organizations should create public packages that emulate their private packages as placeholders,
If similar packages are found, it should be ensured that they do not contain malware, and relevant stakeholders should be informed.
We're here to help you with any questions or cyber security needs you may have! Our Team of experts is available around the clock and ready to asist. You can choose from the contact options below or simply fill out the form to get in touch with us. Dont hesitate to reach out - we're always happy to chat!
