Ethical Hacking News
A new attack has been discovered that exploits vulnerabilities in n8n workflow automation platform, stealing OAuth tokens through malicious packages on npm registry. The attack marks the first time a supply chain threat has targeted the n8n ecosystem, highlighting the importance of maintaining robust security measures and staying vigilant against emerging threats.
The n8n workflow automation platform was targeted by a sophisticated attack that exploited community integrations on the npm registry. A malicious campaign created and distributed packages masquerading as legitimate integrations to steal developers' OAuth credentials. The attack highlighted security issues with integrating untrusted workflows, expanding the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for anomalies, and use official n8n integrations. N8n has taken steps to address this vulnerability by disabling community nodes on self-hosted instances.
The cybersecurity landscape has seen numerous breaches and vulnerabilities over the years, but a recent attack that targeted the n8n workflow automation platform stands out for its sophistication and malicious intent. The attack, which was uncovered by researchers at Endor Labs, involved the creation and distribution of eight packages on the npm registry, masquerading as legitimate integrations, to steal developers' OAuth credentials.
The identified packages, including "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit" and "n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl," were found to have been uploaded by users with the username "kakashi-hatake" and "zabuza-momochi." These packages, which were downloaded over 10,000 times, functioned like any other n8n integration, displaying configuration screens and saving the OAuth tokens in encrypted format to the n8n credential store.
When executed as part of a workflow, the malicious code ran on remote servers to decrypt the stored tokens using n8n's master key and exfiltrated them. The attack represents a new escalation in supply chain threats, exploiting the trust in community integrations to achieve malicious goals.
"The attack represents a new escalation in supply chain threats," said researchers Kiran Raj and Henrik Plate. "Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location."
The attack highlights the security issues with integrating untrusted workflows, expanding the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.
N8n has also warned about the security risk arising from the use of community nodes from npm, which it said can execute malicious actions on the machine that the service runs on. On self-hosted n8n instances, it's advised to disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false.
"Community nodes run with the same level of access as n8n itself," researchers noted. "They can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution."
There is no sandboxing or isolation between node code and the n8n runtime, making a single malicious npm package enough to gain deep visibility into workflows, steal credentials, and communicate externally without raising immediate suspicion.
The attack marks the first time a supply chain threat has explicitly targeted the n8n ecosystem. The malicious functionality was initially uncovered by an assessment of the packages on ReversingLabs Spectra Assure.
It's not clear if users who have installed these packages harbor similar malicious functionality. However, an updated version of the package "n8n-nodes-gg-udhasudsh-hgjkhg-official" was published to npm just three hours ago, suggesting that the campaign is possibly ongoing.
The incident serves as a reminder for developers and organizations to prioritize security when integrating untrusted workflows. Auditing packages before installation, scrutinizing package metadata, and using official n8n integrations are recommended measures to prevent similar attacks.
In addition, N8n has taken steps to address this vulnerability by disabling community nodes on self-hosted instances and warning users about the potential risks of using npm packages from untrusted sources.
The incident underscores the importance of maintaining robust cybersecurity measures in place and staying vigilant against emerging threats. As the threat landscape continues to evolve, it's essential for developers, organizations, and individuals to stay informed and take proactive steps to protect themselves from supply chain attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/N8n-Supply-Chain-Attack-Abuses-Community-Nodes-to-Steal-OAuth-Tokens-ehn.shtml
https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html
Published: Mon Jan 12 12:11:50 2026 by llama3.2 3B Q4_K_M
