A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. “By creating a list of possible package names, threat actors can detect organizations’scoped private packagesand then masquerade public packages, tricking employees and users into downloading them,”