Attackers have efficiently infiltrated n8n’s neighborhood node ecosystem utilizing a malicious npm bundle disguised as a reliable Google Advertisements integration software.
The assault reveals a essential vulnerability in how workflow automation platforms deal with third-party integrations and person credentials.
The malicious bundle, named n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, tricked builders into getting into their Google Advertisements OAuth credentials by way of a seemingly genuine credential kind.
assault overview
Why n8n Is a Goal
As soon as submitted, the malicious code silently stole these credentials and despatched them to an attacker-controlled server throughout workflow execution.
This provide chain assault represents a brand new escalation in cybersecurity threats, exploiting the belief that builders place in community-maintained integrations inside automation platforms.
n8n serves as a centralized credential vault, storing OAuth tokens and API keys for dozens of built-in companies, similar to Google Advertisements, Stripe, and Salesforce, in a single location.
Malicious Google Advertisements node proven within the n8n node palette after putting in the compromised bundle.
This makes compromising even a single neighborhood node extremely beneficial to attackers, because it provides them entry to a complete group’s related digital ecosystem.
The n8n platform’s structure makes it notably susceptible. Neighborhood nodes run with full working system entry, can learn atmosphere variables, and entry file techniques.
putting in n8n neighborhood bundle by way of GUI.
Make outbound community requests basically inheriting the identical belief degree because the core platform itself.
The Scope of the Downside
Endorlabs researchers recognized not less than eight malicious npm packages concentrating on the n8n ecosystem. The first malicious bundle alone achieved over 3,400 weekly downloads earlier than elimination.
malicious npm bundle as listed within the npm registry
A number of packages have been faraway from the npm registry, tracked by way of safety advisories together with GHSA-77g5-qpc3-x24r.
EndorLabs urges organizations to prioritize official n8n nodes over neighborhood alternate options and to rigorously audit packages earlier than set up.
Examine bundle particulars for warning indicators like poor descriptions, unusual names, and really low obtain counts.
Monitoring outbound community site visitors from n8n cases and utilizing remoted service accounts with minimal privileges may considerably scale back publicity danger.
This assault mirrors earlier provide chain compromises concentrating on GitHub Actions workflows, demonstrating that menace actors repeatedly adapt their ways to take advantage of rising automation platforms.
As workflow automation turns into more and more central to enterprise operations, organizations should steadiness comfort in opposition to the safety implications of community-provided integrations.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
