A flaw has been identified in NPM that allows you to detect the existence of packages in closed repositories. The issue is caused by different response times when requesting an existing and non-existing package from a third party who does not have access to the repository. If there is no access for any packages in private repositories, the registry.npmjs.org server returns an error with the code β404β, but if a package with the requested name exists, the error is issued with a noticeable delay. An attacker can use this feature to determine the presence of a package by searching package names using dictionaries.
Determining package names in private repositories may be necessary to perform a dependency mixing attack that manipulates the intersection of dependency names in public and internal repositories. Knowing which internal NPM packages are present in corporate repositories, an attacker can place packages with the same names and newer version numbers in the public NPM repository. If during assembly the internal libraries are not explicitly linked to their repository in the settings, the npm package manager will consider the public repository to be a higher priority and will download the package prepared by the attacker.
GitHub was notified of the problem in March but declined to add protection against the attack, citing architectural limitations. Companies using private repositories are recommended to periodically check for the appearance of overlapping names in the public repository or create stubs on their behalf with names that repeat the names of packages in private repositories, so that attackers cannot place their packages with overlapping names.
Source: opennet.ru