A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats.
The Scoped Confusion attack relies on comparing the response time for a non-existent module to the time it takes the npm API to return an HTTP 404 error message when requesting a private package.
The most recent discoveries differ from dependency confusion attacks in that they call for the adversary to first guess the private packages that an organization uses before publishing phony packages with the same name under the public scope.
Read More: New Timing Attack Against NPM Registry API Could Expose Private Packages
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
