n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens
Published:
12 January 2026 at 16:39:00
Alert date:
12 January 2026 at 19:01:33
Source:
thehackernews.com
Supply Chain & Dependencies, Web Technologies
Threat actors uploaded eight malicious packages on the npm registry masquerading as n8n workflow automation platform integrations. The packages, including one named 'n8n-nodes-hfgjf-irtuinvcm-lasdqewriit', mimic legitimate integrations like Google Ads to steal developers' OAuth credentials. The attack targets the n8n community by abusing the trust in community-developed nodes. Users are prompted to link their accounts through seemingly legitimate forms that actually harvest authentication tokens. This represents a sophisticated supply chain attack targeting the automation platform's ecosystem.
Technical details
Threat actors uploaded 8 malicious packages to npm registry masquerading as n8n integrations. The packages, such as 'n8n-nodes-hfgjf-irtuinvcm-lasdqewriit', mimic legitimate integrations like Google Ads. Once installed as community nodes, they display configuration screens and save OAuth tokens in encrypted format to n8n credential store. During workflow execution, malicious code decrypts stored tokens using n8n's master key and exfiltrates them to attacker-controlled servers. Community nodes run with same access level as n8n itself, with no sandboxing or isolation, allowing access to environment variables, file system, and network requests.
Mitigation steps:
Audit packages before installing them
Scrutinize package metadata for anomalies
Use official n8n integrations instead of community nodes
On self-hosted n8n instances, disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false
Review and monitor installed community packages for suspicious behavior
Affected products:
n8n workflow automation platform
npm registry packages
Google Ads integrations
Stripe integrations
Salesforce integrations
Related links:
https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html
https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem
https://docs.n8n.io/integrations/community-nodes/usage/
https://docs.n8n.io/integrations/community-nodes/risks/
https://secure.software/npm/packages/n8n-nodes-gg-udhasudsh-hgjkhg-official
https://secure.software/npm/packages/n8n-nodes-danev-test-project
https://secure.software/npm/packages/@diendh/n8n-nodes-tiktok-v2
https://secure.software/npm/packages/n8n-nodes-zl-vietts
Related CVE's:
Related threat actors:
IOC's:
n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl, n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz, n8n-nodes-performance-metrics, n8n-nodes-gasdhgfuy-rejerw-ytjsadx, n8n-nodes-danev, n8n-nodes-rooyai-model, n8n-nodes-zalo-vietts, n8n-nodes-gg-udhasudsh-hgjkhg-official, n8n-nodes-danev-test-project, @diendh/n8n-nodes-tiktok-v2, n8n-nodes-zl-vietts, kakashi-hatake, hezi109, zabuza-momochi, dan_even_segler, haggags, vietts_code, diendh
This article was created with the assistance of AI technology by Perceptive.