Security researchers have uncovered a malicious campaign involving fake npm packages designed to impersonate integrations for the n8n workflow automation platform. The goal is simple but dangerous: steal OAuth tokens and sensitive credentials from developers and organizations.
Investigators identified at least eight npm packages posing as legitimate n8n community nodes. One of the most notable examples, n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, pretended to be a Google Ads integration. After installation, it displayed a convincing setup screen that asked users to connect their advertising accounts. Behind the scenes, the credentials were quietly sent to attacker-controlled servers.
According to a recent report from Endor Labs, this campaign represents a shift in how supply chain attacks are being executed.
Unlike typical npm malware that targets developer machines directly, this operation focused on workflow automation tools that function as centralized credential stores. These platforms often hold OAuth tokens, API keys, and access details for services such as Google Ads, Stripe, and Salesforce in one place.
Removed Malicious Packages
The following packages have been taken down from the npm registry after being flagged as malicious:
- n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (4,241 downloads)
- n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (1,657 downloads)
- n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (1,493 downloads)
- n8n-nodes-performance-metrics (752 downloads)
- n8n-nodes-gasdhgfuy-rejerw-ytjsadx (8,385 downloads)
- n8n-nodes-danev (5,525 downloads)
- n8n-nodes-rooyai-model (1,731 downloads)
- n8n-nodes-zalo-vietts (4,241 downloads)
Several of the developers associated with these packages are also linked to other n8n-related libraries that remain available. While some of those packages appear clean, one library flagged by ReversingLabs contains components with a known malware history.
Adding to the concern, a fresh update to one of the suspicious packages was published just hours ago, suggesting the campaign may still be active.
How the Attack Works
Once installed, the malicious node behaves like a normal n8n integration. It saves OAuth credentials in the n8n credential store using encryption, just as legitimate nodes do. However, when a workflow runs, the hidden code decrypts those credentials using n8n’s master key and sends them to an external server controlled by the attackers.
This is the first known supply chain attack to directly target the n8n ecosystem, abusing trust in community-built integrations to gain access to sensitive automation environments.
Why Community Nodes Are Risky
n8n has reiterated warnings about the risks of installing community nodes from npm. These nodes run with the same permissions as the core platform, meaning they can:
- Access environment variables
- Read and write files on the host system
- Make outbound network requests
- Receive decrypted API keys and OAuth tokens during workflow execution
Because there is no sandboxing or isolation, a single malicious package can monitor workflows, steal credentials, and communicate externally without obvious signs of compromise.
Security Recommendations
To reduce risk, developers and organizations are advised to:
- Carefully audit npm packages before installing them
- Review package metadata, authorship, and update history
- Prefer official n8n integrations whenever possible
- Disable community nodes on self-hosted instances by setting
N8N_COMMUNITY_PACKAGES_ENABLED=false
The findings highlight how workflow automation platforms are becoming high-value targets. As attackers continue to exploit trusted ecosystems, supply chain security is no longer optional, especially in environments that manage credentials at scale