NPM API flaw exposes secret packages

A flaw in the API for NPM could potentially allow a threat actor to see the internal packages for corporate users -- a possible first step for a supply chain attack.

Researchers disclosed a flaw in the NPM API that could potentially leave the door open for attacks on corporate developers.

The team at security vendor Aqua Security's Nautilus reported the discovery of what it considers to be a timing attack in the popular JavaScript package manager that would allow a threat actor to figure out what hidden packages are on a user's account. The worry is that by exposing a company's hidden packages, the attacker could in turn craft poisoned lookalike packages that could be targeted at company developers with the aim of an eventual supply chain attack.

According to a blog post by Aqua Nautilus researcher Yakir Kadkoda, the attack is carried out when the threat actor uses the NPM API to send a GET request for a specific package. Though the answer for query will always be a 404 error, the timing of the response can vary depending on whether the package exists.

"If a threat actor sends around five consecutive requests for information about a private package then analyzes the time taken for NPM to reply, it is possible for them to determine whether the private package in fact exists," Kadkoda explained. "More accurately, this would show whether the package exists now or if it had existed in the past though is now deleted. In both cases, it would be the same result."

This can pose a threat when, over time, the attacker could suss out a company account's entire catalogue of hidden NPM modules. From there, it would simply be a matter of creating malware-laden lookalike packages with the hope that developers are either fooled by the lookalike or enter a typo while requesting a package.

"Threat actors have the capability to create a list of potential private package names and run timing attacks to verify their existence," Kadkoda wrote. "Later, threat actors could create public packages masquerading as legitimate private ones and trick unknowing developers into downloading malicious packages."

Such attacks have become a popular tactic amongst malware developers as they give a line not only to the infected developers themselves but to any end users who are using that software. Recently, Checkmarx researchers discovered one such attack that went unreported for one year, spreading 199 different malicious packages.

In this case, addressing the issue in question may not be a trivial matter. Aqua reported the issue to GitHub through the company's HackerOne bug bounty program in early March. While GitHub, which acquired NPM, investigated responded to the bug report and investigated the flaw, there is apparently no fix coming.

Aqua told TechTarget Editorial that GitHub informed the security vendor that this flaw will go unchecked "because of these architectural limitations, we cannot prevent timing attacks from determining whether a specific private package exists on npm."

In the absence of a patch or mitigation, Aqua recommended developers keep a close eye on their code dependencies and make sure the packages they install on their projects are the intended ones.

GitHub did not return a request for comment on the matter.

Dig Deeper on Threats and vulnerabilities