Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Timing Attacks Can Be Used to Check for Existence of Private NPM Packages

Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.

Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.

Specifically, the security firm has discovered that an attacker armed with a list of package names may launch timing attacks to determine whether an organization has created specific NPM packages that are not publicly accessible.

Once they have identified the existence of a private package, the attacker can mount a supply chain attack by creating public packages that pose as legitimate packages and tricking employees and users into downloading them.

The issue, Aqua explains, resides in the ‘404 Not found’ error that NPM’s API responds with when an unauthenticated user sends a request to receive information about a private package.

Regardless of whether the package has existed or not, the response is the same, but the message is served much faster if the package never existed. However, the attacker would need to send multiple consecutive requests to notice the difference in response timings.

“If a threat actor sends around five consecutive requests for information about a private package then analyzes the time taken for npm to reply, it is possible for them to determine whether the private package in fact exists,” Aqua notes.

In fact, by analyzing the time it takes for the NPM API to deliver the ‘404 Not found’ message, an attacker could determine the existence of the package (whether it has existed and is now deleted or exists) versus if it was never created.

“Due to this, we can assume that this flaw is embedded in the architecture of the API and is a result of the caching mechanism,” Aqua notes.

An attacker looking to exploit this in the wild would first need to perform a dictionary or a guessing attack, search for public packages that were deleted when taken private, or they would need to map all packages on NPM that do not have public packages, and create fake malicious packages with the same names.

Next, the attacker could use the list to mount a timing attack to identify private packages and, if no public NPM packages with the same names exist, could create their own packages to mount supply chain attacks.

Aqua says it has reported the issue to GitHub, which determined that the behavior is in line with the NPM API’s architecture and that timing attacks cannot be prevented.

Related: LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks

Related: GitHub Improves npm Account Security as Incidents Rise

Related: Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.