In a recent threat alert post, Yakir Kadkoda, Security Researcher at Aqua, outlined their discovery of being able to use NPM’s API to execute a timing attack to be able to detect if a private package exists in the manager. What the attack largely comes down to is tracking how long it takes for the server to respond ‘Not Found’, which it will do in both cases of a package not existing, or if the package does exists and is private. However, the time it takes to make the determination is different if the package is private or absent.
If an Attacker is able to determine the name of a company’s private package, through similar naming conventions of a company’s public packages and private, or logs of deleted packages where the packages could have just been made private, and then verify that the package is an active private package, new attack options are opened. The attacker could then create a public package with the same name as the company’s private package, with the hopes that either an employee may grab the copy-cat malicious package, or even in some cases, internal apps will begin defaulting to the available public package of the same name, instead of the private package they should be using.
Both of these outcomes could be ugly!
Aqua has provided several steps to help mitigate the risks of this style of attack against your private packages on NPM.
- Gather a list of all your organization’s private and public packages on all the package management platforms.
- Actively look for typo squatting, lookalikes, or masquerading packages. Verify that there are no other packages with the same name as your internal private packages.
- If you find any similar packages, make sure that they do not contain malware and notify the relevant stakeholders.
- If you don’t find public packages similar to your internal packages, consider creating public packages as placeholders to prevent such attacks.
- If you would like to learn more about protecting yourself when using npm, you can read the following npm blog “Avoiding npm substitution attacks”.