Yakir Kadkoda, a Security Researcher at Aqua Nautilus, has revealed a unique timing attack on NPM API implementation that could lead to a supply chain attack. According to the researcher, this NPM API timing attack allows advisories to learn about the existence of scoped private NPM packages in the company’s repository. Once the advisories obtain the list of private packages that do not exist in the public repository, the attacker can create a malicious public package with the same name and deceive the employees into downloading their malicious package. Security researchers have rung warning bells often, not just about the NPM packages but other public package managers like GitHub. We recommend all those who use public package managers read this post, in which we are going to demonstrate how to protect your private NPM packages from being exposed using an NPM API timing attack in this post.
This architectural flaw exists in the time taken to respond to the query of an API request in NPM. Advisories can abuse this NPM API timing attack to find the existence of the private packages. Basically, the attacker creates a list of package names and uses this NPM API Timing attack and filter out the existing packages from the list which doesn’t exist on the public package manager. The attacker then creates the public packages of the identified scoped private package to confuse the user to download the malicious public packages instead of the original private packages.
Aqua Nautilus said, “NPM APIs take on average less time to get a reply for a private package that does not exist compared to a private package that does.” If you see the numbers shared by the research team, API response has taken an average of 648 milliseconds when the package exists. On the other hand, in the case of a private package that doesn’t exist, the API response has taken an average of 101 milliseconds to return the result. This behavior helps the attacker to find the private package even if he doesn’t have access to the scoped private packages.
Source: Aqua NautilusSource: Aqua Nautilus
After knowing about the NPM API Timing Attack, now it’s time to know how attackers can abuse this architectural flaw to exploit. Let’s go in step by step process to understand this better.
Create a list of scoped private package names: This is the first step to creating a list of private package names created by the victim organization. The attacker would use many methods to create a list of possible package names. For example, the attacker could create a list of packages by guessing or presuming the names of packages used by a specific organization. The attacker could use dictionary words to create the list. The attacker could create the list of package names by looking at the patterns or combinations in the organizations’ public packages or historically created packages.
Execute the NPM API Timing Attack: Upon the creation of the list of package names, the attacker sends the API request to search the packages. In this phase, the attacker will capture all the time taken by the APIs to replay back.
Identify the existence of the scoped private packages: In this phase, the attacker will list out all the packages that have a greater response time. Because, as per the research, NPM APIs will take longer time to replay for the packages that do exist or are deleted in the comparison of non-existing or never created packages.
Create public packages: Upon identifying the existence of the scoped private package list, the attacker checks for the existence of public packages with the same names. If he doesn’t see the packages created, then he creates the malicious packages on the public scope of NPM. Once the victim downloads the packages created by the attacker, the attacker starts exploiting the victim.
This is how the attacker abuse the NPM API Timing Attack to compromise the victim.
Attackers say such attacks are getting more prevalent these days, so uses who use any public package managers or repositories would need to protect their packages from such substitution attacks. When you want to talk about NPM API Timing Attacks, here are some of the tips you should follow to protect your private NPM packages from adversaries.
Manage all your organization’s public and private packages in an organized way. Make sure no duplicate packages exist.
Periodically verify all the typo squatting, lookalikes, or masquerading packages. If you catch any packages, take action against them.
Make sure none of your packages are infected, tampered with, modified, or accessed by an unauthorized person. Delete them if so.
We recommend creating public packages by the same name if you delete any public or private packages to avoid such attacks.
If you want to know more about such protection tips. Please visit this NPM blog.
We hope this post would help you know how to protect your private NPM packages from being exposed using the NPM API timing attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.