Threat actors have been targeting the n8n workflow automation platform through a supply chain attack by uploading eight malicious packages to the npm registry. These packages, posing as legitimate integrations, were designed to steal OAuth credentials from developers.
One of the malicious packages, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," masqueraded as a Google Ads integration. It prompted users to link their advertising accounts via a legitimate-looking interface, subsequently siphoning the credentials to the attackers’ servers.
This incident represents a significant evolution in supply chain threats, as noted by Endor Labs. The attack exploits centralized credential vaults in workflow automation platforms, which can store sensitive OAuth tokens, API keys, and credentials for numerous services, including Google Ads and Salesforce.
The identified malicious packages included:
- n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (4,241 downloads)
- n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (1,657 downloads)
- n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (1,493 downloads)
- n8n-nodes-performance-metrics (752 downloads)
- n8n-nodes-gasdhgfuy-rejerw-ytjsadx (8,385 downloads)
- n8n-nodes-danev (5,525 downloads)
- n8n-nodes-rooyai-model (1,731 downloads)
- n8n-nodes-zalo-vietts (4,241 downloads)
While these packages have been removed from the npm registry, some users associated with them continue to have other libraries still available for download, though these libraries’ security status remains unclear.
The compromised packages functioned as community nodes within n8n, allowing the attackers to display configuration screens and store the stolen OAuth tokens in the n8n credential store. During workflow execution, they were able to decrypt the tokens using n8n’s master key and communicate with remote servers.
This marks a new precedent for supply chain threats targeting the n8n ecosystem, leveraging the inherent trust in community integrations to achieve their malicious goals. Developers are advised to thoroughly audit all packages before installation and be cautious with package metadata, as well as to prefer official n8n integrations.
n8n has also emphasized the risks that come with using community nodes, warning that they can perform potentially malicious actions on the host machine and access sensitive information without isolation or sandboxing from the n8n runtime environment. This highlights an alarming vulnerability in the npm supply chain that could be exploited to steal credentials and gain unauthorized access to sensitive systems.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.