Connect with us

Hi, what are you looking for?


Application Security

Timing Attacks Can Be Used to Check for Existence of Private NPM Packages

Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.

Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.

Specifically, the security firm has discovered that an attacker armed with a list of package names may launch timing attacks to determine whether an organization has created specific NPM packages that are not publicly accessible.

Once they have identified the existence of a private package, the attacker can mount a supply chain attack by creating public packages that pose as legitimate packages and tricking employees and users into downloading them.

The issue, Aqua explains, resides in the ‘404 Not found’ error that NPM’s API responds with when an unauthenticated user sends a request to receive information about a private package.

Regardless of whether the package has existed or not, the response is the same, but the message is served much faster if the package never existed. However, the attacker would need to send multiple consecutive requests to notice the difference in response timings.

“If a threat actor sends around five consecutive requests for information about a private package then analyzes the time taken for npm to reply, it is possible for them to determine whether the private package in fact exists,” Aqua notes.

In fact, by analyzing the time it takes for the NPM API to deliver the ‘404 Not found’ message, an attacker could determine the existence of the package (whether it has existed and is now deleted or exists) versus if it was never created.

“Due to this, we can assume that this flaw is embedded in the architecture of the API and is a result of the caching mechanism,” Aqua notes.

Advertisement. Scroll to continue reading.

An attacker looking to exploit this in the wild would first need to perform a dictionary or a guessing attack, search for public packages that were deleted when taken private, or they would need to map all packages on NPM that do not have public packages, and create fake malicious packages with the same names.

Next, the attacker could use the list to mount a timing attack to identify private packages and, if no public NPM packages with the same names exist, could create their own packages to mount supply chain attacks.

Aqua says it has reported the issue to GitHub, which determined that the behavior is in line with the NPM API’s architecture and that timing attacks cannot be prevented.

Related: LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks

Related: GitHub Improves npm Account Security as Incidents Rise

Related: Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.