New Sync Attack Against NPM Registry API Could Expose Private Packages
A newly discovered synchronization attack against npm’s registry API can be exploited to potentially leak private packages used by organizations, exposing developers to supply chain threats.
“By creating a list of possible package names, threat actors can detect organizations’ extended private packages and then hide public packages, tricking employees and users into downloading them,” said the Aqua Security researcher. , Yakir Kadkoda.
The Scoped Confusion attack relies on the analysis of the time taken by the npm API (registry.npmjs[.]org) to return an HTTP 404 error message when requesting a private package and measure it against the response time of a non-existent module.
“It takes less time on average to get a response for a private package that doesn’t exist compared to a private package that does exist,” Kadkoda explained.
The idea, ultimately, is to identify packages used internally by companies, which could then be used by threat actors to create public versions of the same packages in an attempt to poison the blockchain. software supply.
The latest findings are also different from dependency confusion attacks in that they require the adversary to first guess the private packages used by an organization and then release fake packages with the same name under the public scope.
Dependency confusion (i.e. namespace confusion), on the other hand, relies on package managers checking public code registries for a package before private registries, resulting in the Retrieving a higher version malicious package from the public repository.
Aqua Security said it disclosed the bug to GitHub on March 8, 2022, prompting the Microsoft-owned subsidiary to respond that the timing attack will not be patched due to architectural limitations.
As a preventive measure, organizations are recommended to regularly scan npm and other package management platforms for similar or spoofed packages that are impersonating internal peers.
“If you cannot find public packages similar to your internal packages, consider creating public packages as placeholders to prevent such attacks,” Kadkoda said.