n8n Supply Chain Attack Steals OAuth Tokens by Abusing Community Nodes -

Post Views: 7

n8n Supply Chain Attack Steals OAuth Tokens by Abusing Community Nodes

In order to obtain developers’ OAuth credentials, threat actors have been seen uploading eight packages to the npm repository under the guise of integrations intended for the n8n workflow automation platform

One such package, called “n8n-nodes-hfgjf-irtuinvcm-lasdqewriit,” imitates a Google Ads integration and asks users to connect their advertising account in a way that looks authentic before siphoning it to servers that are controlled by the attackers.

The assault marks a new escalation in supply chain threats,” according to a report released last week by Endor Labs. “Unlike conventional npm malware, which often focuses on developer credentials, this campaign exploited workflow automation platforms that serve as centralized credential vaults – holding OAuth tokens, API keys, and confidential credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location.”

The entire list of packages that were found but have since been deleted is as follows:

n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (4,241 downloads, author: kakashi-hatake)
n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (1,657 downloads, author: kakashi-hatake)
n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (1,493 downloads, author: kakashi-hatake)
n8n-nodes-performance-metrics (752 downloads, author: hezi109)
n8n-nodes-gasdhgfuy-rejerw-ytjsadx (8,385 downloads, author: zabuza-momochi)
n8n-nodes-danev (5,525 downloads, author: dan_even_segler)
n8n-nodes-rooyai-model (1,731 downloads, author: haggags)
n8n-nodes-zalo-vietts (4,241 downloads, authors: vietts_code and diendh)

Additionally, the usernames “zabuza-momochi,” “dan_even_segler,” and “diendh” have been connected to other libraries that are currently accessible for download:

n8n-nodes-gg-udhasudsh-hgjkhg-official (2,863 downloads)
n8n-nodes-danev-test-project (1,259 downloads)
@diendh/n8n-nodes-tiktok-v2 (218 downloads)
n8n-nodes-zl-vietts (6,357 downloads)

It’s unclear if they have comparable malevolent capabilities. Nevertheless, no security flaws have been found in an evaluation of the first three packages on ReversingLabs Spectra Assure. Regarding “n8n-nodes-zl-vietts,” the research has identified a component with malware history in the library.

It’s interesting to note that just three hours ago, a revised version of the package “n8n-nodes-gg-udhasudsh-hgjkhg-official” was submitted to npm, indicating that the campaign may still be in progress.

Once deployed as a community node, the malicious program displays configuration panels and saves the Google Ads account OAuth tokens in encrypted format to the n8n credential store, just like any other n8n integration. When the workflow is carried out, code is executed to exfiltrate the tokens to a distant server after decrypting them using n8n’s master key.

“Community nodes have the same degree of access as n8n. According to researchers Kiran Raj and Henrik Plate, “they can read environment variables, access the file system, make outbound network requests, and—most importantly—receive decrypted API keys and OAuth tokens during workflow execution.” “There is no sandboxing or isolation between node code and the n8n runtime.”

Due to this, a single malicious npm package is sufficient to communicate externally, steal passwords, and obtain broad visibility into operations without drawing attention right away. The npm supply chain provides an extremely efficient and silent way for attackers to enter n8n systems.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

WEF Warning: CyberFraud is a Rising Dominant Global Threat