n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors uploaded eight malicious npm packages disguised as n8n community nodes to steal OAuth credentials, impacting integrations like Google Ads, Stripe, and Salesforce. These packages collectively garnered over 20,000 downloads before detection and removal.

Why This Matters

Automated workflow platforms like n8n centralize sensitive credentials, creating a high-value target for attackers; traditional supply chain attacks often target developer credentials, but this campaign exploited a centralized credential vault. Compromise of these tokens can lead to significant financial loss and data breaches, scaling the impact beyond individual developer accounts.

Key Insights

• 8 malicious packages identified: Published to npm in January 2026, targeting n8n users.
• OAuth token exfiltration: Attackers decrypted and stole tokens using n8n’s master key.
• Lack of sandboxing: n8n community nodes run with the same privileges as the n8n service itself, offering attackers broad access.

Practical Applications

• Use Case: Marketing agencies using n8n to automate Google Ads management are at risk of account takeover.
• Pitfall: Relying on untrusted community nodes without proper auditing can introduce significant security vulnerabilities.

References:

• https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html