Home Security New Timing Assault Towards NPM Registry API May Expose Non-public Packages

New Timing Assault Towards NPM Registry API May Expose Non-public Packages

by crpt os


A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats.

“By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them,” Aqua Security researcher Yakir Kadkoda said.

CyberSecurity

The Scoped Confusion attack banks on analyzing the time it takes for the npm API (registry.npmjs[.]org) to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

Private NPM Packages

“It takes on average less time to get a reply for a private package that does not exist compared to a private package that does,” Kadkoda explained.

The idea, ultimately, is to identify packages internally used by companies, which could then be used by threat actors to create public versions of the same packages in an attempt to poison the software supply chain.

Private NPM Packages

The latest findings are also different from dependency confusion attacks in that it requires the adversary to first guess the private packages used by an organization and then publish phony packages with the same name under the public scope.

Dependency confusion (aka namespace confusion), in contrast, relies on the fact that package managers check public code registries for a package before private registries, resulting in the retrieval of a malicious higher version package from the public repository.

CyberSecurity

Aqua Security said it disclosed the bug to GitHub on March 8, 2022, prompting the Microsoft-owned subsidiary to issue a response that the timing attack will not be fixed due to architectural limitations.

As preventive measures, it’s recommended that organizations routinely scan npm and other package management platforms for lookalike or spoofed packages that masquerade as the internal counterparts.

“If you don’t find public packages similar to your internal packages, consider creating public packages as placeholders to prevent such attacks,” Kadkoda said.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex