A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats.
“By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them,”

This entry was posted in Uncategorized and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *