Malicious npm packages masquerading as n8n integrations to steal OAuth credentials
Malware Activity
Summary
Hide ▲
Show ▼
A set of eight npm packages impersonating n8n integrations is stealing developers' OAuth credentials, putting linked services and workflow access at risk. One package mimics a Google Ads integration to lure users into connecting an account. The code then stores tokens in the n8n credential store, decrypts them with n8n's master key, and exfiltrates them to attacker-controlled servers. Because community nodes run with the same privileges as n8n, the activity can expose multiple integrated services from a single malicious package.
Related Happenings
N8n security fixes after Pillar findings
Security Patch Release
First: 12.03.2026 17:28
Last: 12.03.2026 17:28
Sources 1
About this happening:
**n8n** released an **initial patch update in December 2025** and **nine security fixes in early 2026** to address reported flaws in the workflow automation platform. The update c...
N8n security fixes after Pillar findings
Security Patch ReleaseAbout this happening: **n8n** released an **initial patch update in December 2025** and **nine security fixes in early 2026** to address reported flaws in the workflow automation platform. The update c...
StripeApi.Net malicious NuGet package exfiltrating Stripe API tokens
Malware Activity
First: 26.02.2026 12:09
Last: 26.02.2026 12:09
Sources 1
About this happening:
A malicious **StripeApi.Net** package on **NuGet** impersonated **Stripe.net** and quietly stole **Stripe API tokens**, putting developers in the **financial sector** at risk. The...
StripeApi.Net malicious NuGet package exfiltrating Stripe API tokens
Malware ActivityAbout this happening: A malicious **StripeApi.Net** package on **NuGet** impersonated **Stripe.net** and quietly stole **Stripe API tokens**, putting developers in the **financial sector** at risk. The...
N8n sandbox escape flaws (multiple vulnerabilities)
Vulnerability
First: 04.02.2026 15:00
Last: 04.02.2026 15:00
Sources 1
About this happening:
Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
N8n sandbox escape flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
N8n self-hosted community nodes disable guidance
Advisory/Mitigation
First: 12.01.2026 18:39
Last: 12.01.2026 18:39
Sources 1
How related:
On self-hosted n8n instances, it's advised to disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false.
About this happening:
n8n warned **self-hosted operators** to **disable community nodes** because malicious npm packages can run code with the same access as n8n and steal decrypted credentials. The gu...
N8n self-hosted community nodes disable guidance
Advisory/MitigationHow related: On self-hosted n8n instances, it's advised to disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false.
About this happening: n8n warned **self-hosted operators** to **disable community nodes** because malicious npm packages can run code with the same access as n8n and steal decrypted credentials. The gu...
Pkr_mtsi Windows loader delivers multiple payloads
Malware Activity
First: 07.01.2026 18:45
Last: 07.01.2026 18:45
Sources 1
About this happening:
**pkr_mtsi** is a **Windows loader** now being used to push **trojanized installers** through **malvertising** and **SEO poisoning**, increasing initial-access risk for Windows us...
Pkr_mtsi Windows loader delivers multiple payloads
Malware ActivityAbout this happening: **pkr_mtsi** is a **Windows loader** now being used to push **trojanized installers** through **malvertising** and **SEO poisoning**, increasing initial-access risk for Windows us...
Timeline
-
12.01.2026 18:39 2 articles · 4mo ago
Malicious npm packages impersonate n8n community nodes to steal OAuth tokens
Initial DisclosureThreat actors uploaded eight npm packages that masqueraded as n8n community nodes to steal developers' OAuth credentials from n8n environments. One package, n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, mimicked a Google Ads integration, prompted users to connect an advertising account, saved tokens in the n8n credential store, decrypted them with n8n's master key during workflow execution, and exfiltrated them to attacker-controlled servers.
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39