Cybersecurity

Supply Chain Attack Abuses Community Nodes To Steal Oauth Tokens N8n

2026-01-12 0 views admin
Supply Chain Attack Abuses Community Nodes To Steal Oauth Tokens N8n

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials.

One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon it to servers under the attackers' control.

"The attack represents a new escalation in supply chain threats," Endor Labs said in a report published last week. "Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location."

The complete list of identified packages, which have since been removed, is as follows -

The users "zabuza-momochi," "dan_even_segler," and "diendh" have also been linked to other libraries that are still available for download as of writing -

It's not clear if they harbor similar malicious functionality. However, an assessment of the first three packages on ReversingLabs Spectra Assure has uncovered no security issues. In the case of "n8n-nodes-zl-vietts," the analysis has flagged the library as containing a component with malware history.

Interestingly, an updated version of the package "n8n-nodes-gg-udhasudsh-hgjkhg-official" was published to npm just three hours ago, suggesting that the campaign is possibly ongoing.

The malicious package, once installed as a community node, behaves like any other n8n integration, displaying configuration screens and saving the Google Ads account OAuth tokens in encrypted format to the n8n credential store. When the workflow is executed, it runs code to decrypt the stored tokens using n8n's master key and exfiltrates them to a remote server.

The development marks the first time a supply chain threat has explicitly targeted the n8n ecosystem, with bad actors weaponizing the trust in community integrations to achieve their goals.

The findings highlight the security issues that come with integrating untrusted workflows, which can expand the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.

Source: The Hacker News

🏷️ Tags

securitymalwareattackthreatexploit

More from Cybersecurity

Facebook Login Thieves Now Using Browser-in-browser Trick 2026

Facebook Login Thieves Now Using Browser-in-browser Trick 2026

2026-01-12 0
Cisa Orders Feds To Patch Gogs RCE Flaw Exploited In Zero-day Attacks (2026)

Cisa Orders Feds To Patch Gogs RCE Flaw Exploited In Zero-day Attacks (2026)

2026-01-12 0
'bad Actor' Hijacks Apex Legends Characters In Live Matches 2026

'bad Actor' Hijacks Apex Legends Characters In Live Matches 2026

2026-01-12 0
New Hexnode Moves Into Endpoint Security With Hexnode XDR 2026 - Analysis

New Hexnode Moves Into Endpoint Security With Hexnode XDR 2026 - Analysis

2026-01-12 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views