Yakir Kadkoda, a Security Researcher at Aqua Nautilus, has revealed a unique timing attack on NPM API implementation that could lead to a supply chain attack. According to the researcher, this NPM API timing attack allows advisories to learn about the existence of scoped private NPM packages in the company’s repository. Once the advisories obtain the list of private packages that do not exist in the public repository, the attacker can create a malicious public package with the same name and deceive the employees into downloading their malicious package. Security researchers have rung warning bells often, not just about the NPM packages but other public package managers like GitHub. We recommend all those who use public package managers read this post, in which we are going to demonstrate how to protect your private NPM packages from being exposed using an NPM API timing attack in this post.
Summary of NPM API Timing Attack
This architectural flaw exists in the time taken to respond to the query of an API request in NPM. Advisories can abuse this NPM API timing attack to find the existence of the private packages. Basically, the attacker creates a list of package names and uses this NPM API Timing attack and filter out the existing packages from the list which doesn’t exist on the public package manager. The attacker then creates the public packages of the identified scoped private package to confuse the user to download the malicious public packages instead of the original private packages.
How Does Attacker Use NPM API Timing Attack to Find the Existence of the Private Package?
Aqua Nautilus said, “NPM APIs take on average less time to get a reply for a private package that does not exist compared to a private package that does.” If you see the numbers shared by the research team, API response has taken an average of 648 milliseconds when the package exists. On the other hand, in the case of a private package that doesn’t exist, the API response has taken an average of 101 milliseconds to return the result. This behavior helps the attacker to find the private package even if he doesn’t have access to the scoped private packages.
How Does NPM API Timing Attack Work?
After knowing about the NPM API Timing Attack, now it’s time to know how attackers can abuse this architectural flaw to exploit. Let’s go in step by step process to understand this better.
- Create a list of scoped private package names: This is the first step to creating a list of private package names created by the victim organization. The attacker would use many methods to create a list of possible package names. For example, the attacker could create a list of packages by guessing or presuming the names of packages used by a specific organization. The attacker could use dictionary words to create the list. The attacker could create the list of package names by looking at the patterns or combinations in the organizations’ public packages or historically created packages.
- Execute the NPM API Timing Attack: Upon the creation of the list of package names, the attacker sends the API request to search the packages. In this phase, the attacker will capture all the time taken by the APIs to replay back.
- Identify the existence of the scoped private packages: In this phase, the attacker will list out all the packages that have a greater response time. Because, as per the research, NPM APIs will take longer time to replay for the packages that do exist or are deleted in the comparison of non-existing or never created packages.
- Create public packages: Upon identifying the existence of the scoped private package list, the attacker checks for the existence of public packages with the same names. If he doesn’t see the packages created, then he creates the malicious packages on the public scope of NPM. Once the victim downloads the packages created by the attacker, the attacker starts exploiting the victim.
This is how the attacker abuse the NPM API Timing Attack to compromise the victim.
How to Protect Your Private NPM Packages Being Exposed Using NPM API Timing Attack?
Attackers say such attacks are getting more prevalent these days, so uses who use any public package managers or repositories would need to protect their packages from such substitution attacks. When you want to talk about NPM API Timing Attacks, here are some of the tips you should follow to protect your private NPM packages from adversaries.
- Manage all your organization’s public and private packages in an organized way. Make sure no duplicate packages exist.
- Periodically verify all the typo squatting, lookalikes, or masquerading packages. If you catch any packages, take action against them.
- Make sure none of your packages are infected, tampered with, modified, or accessed by an unauthorized person. Delete them if so.
- We recommend creating public packages by the same name if you delete any public or private packages to avoid such attacks.
If you want to know more about such protection tips. Please visit this NPM blog.
We hope this post will help you know how to protect your private NPM packages from being exposed using the NPM API timing attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.