- Researchers discovered malicious npm packages posing as n8n integrations that exfiltrate OAuth tokens and API keys.
- The packages are a supply‑chain threat: they embed code that harvests credentials from enterprise workflows and sends them to attacker-controlled endpoints.
- Immediate steps: remove suspicious packages, rotate OAuth tokens and API keys, audit and lock dependencies, and enforce least privilege and network egress controls.
Malicious npm packages target the n8n automation platform in a supply‑chain attack
What happened
Security researchers have identified a series of malicious npm packages that pose as third‑party integrations for the n8n automation platform. The packages were designed to harvest sensitive credentials — including OAuth tokens and API keys — used by enterprise automation workflows, then exfiltrate those secrets to attacker‑controlled infrastructure. Because n8n is widely used to integrate SaaS apps and APIs, compromised credentials could enable broad downstream access to corporate systems and data.
How the attack works
The malicious packages masqueraded as legitimate n8n nodes or integrations. When installed into an n8n instance, they execute code that searches for stored connection metadata and environment variables commonly used to hold OAuth tokens, API keys and other secrets. The harvested data is then transmitted out of the environment to external endpoints under the attacker’s control. This style of supply‑chain compromise leverages trust in package registries and third‑party modules to gain access to high‑value credentials.
Why this is dangerous
Automation platforms like n8n often centralize credentials for many services to enable cross‑system workflows. That centralization creates a single point of failure: a successful supply‑chain implant can expose credentials for multiple cloud services, CRMs, payment systems, and internal APIs. Attackers who obtain OAuth tokens or API keys can impersonate services, pivot inside networks and carry out fraud, data theft or further persistence.
Recommended immediate actions
- Remove any recently installed or unknown npm packages from n8n instances and developer environments.
- Rotate OAuth tokens, API keys and other credentials that may have been exposed. Treat tokens stored in automation workflows as compromised until verified.
- Audit dependency manifests and lockfiles (package.json, package-lock.json) and pin trusted versions. Use reproducible builds and verify package signatures where possible.
- Restrict outbound network access from automation hosts so packages cannot easily exfiltrate data to arbitrary endpoints.
- Deploy code and dependency scanning tools to detect malicious or tampered packages in CI/CD and developer workstations.
- Apply least‑privilege credentials to integrations and enable logging/alerting on anomalous token use.
What to watch for
Monitor for unexpected requests from n8n servers to unknown domains, sudden token revocations or usage from unfamiliar IP addresses, and any new or unapproved npm packages in dependency trees. Because supply‑chain threats exploit trust, organizations should treat third‑party packages and community integrations with caution and incorporate supply‑chain protections into their development lifecycle.
Embeds: No social media or YouTube embeds were included in the original report.
As the investigation continues, administrators should assume credentials used by automation workflows could be compromised and take swift steps to contain and remediate the exposure.
Image Referance: https://www.csoonline.com/article/4115417/malicious-npm-packages-target-n8n-automation-platform-in-a-supply-chain-attack.html