Cybercriminals have uploaded malicious npm packages disguised as legitimate n8n integrations to steal OAuth credentials from developers. This campaign exploited the n8n workflow automation platform, increasing supply chain risks for centralized credential vaults. #n8n #npmMalware
Keypoints
- Threat actors uploaded eight malicious npm packages targeting the n8n platform to steal OAuth credentials.
- The malicious packages mimic real integrations, such as Google Ads, to trick users into linking their accounts.
- This is the first known supply chain attack specifically targeting the n8n ecosystem.
- The campaign involved exfiltrating encrypted OAuth tokens to remote servers during workflow execution.
- Developers are advised to audit packages, scrutinize metadata, and disable community nodes to mitigate risks.
Read More: https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html