Aqua Nautilus has discovered that npm’s API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organisations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them.
This kind of attack is linked to a broader category of supply chain attacks. Over the past few years, Aqua Nautilus has seen an increase in the volume and variety of such attacks in the wild. This blog will dig deeper into this issue and demonstrate how users can mitigate the risks.
