at npm identified a shortage of packages in closed repositories. The problem is caused by different reaction time when requesting an existing and non -existent package by a third -party user who does not have access to the repository. In the absence of access for any packages in private repositories, the server returns an error with the 404 code, but in the case of a package with a requested name, an error is issued with a tangible delay. The attacker can use this feature to determine the presence of a package when selecting packets in dictionaries.
Determining the names of packages in closed repositories may be required to make an attack through mixing of dependencies , manipulating intersection Dependencies in public and internal repositories. Knowing which internal NPM packages are present in corporate repositories, the attacking can place packages with the same names and more new versions of versions in the public repository of NPM. If during assembly the internal libraries are clearly not tied in the settings to their repository, the NPM package manager considers a more priority public repository and loads the packet prepared by the attacking package.
Github was notified of the problem in March, but refused to add protection from the attack, citing architectural restrictions. Companies using private repositories are recommended to periodically check the appearance of intersecting names in a public repository or
Create on your own name a plug with names repeating the names of packages in private repositories so that the attackers could not place their bags with intersecting names.