n8n Supply Chain Attack Exploits Community Nodes to Steal OAuth Tokens

First reported

12.01.2026 18:39

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors uploaded eight malicious npm packages mimicking n8n workflow automation integrations to steal OAuth credentials. The packages targeted developers using n8n, prompting them to link accounts and exfiltrating tokens to attacker-controlled servers. This represents a new escalation in supply chain threats, exploiting centralized credential vaults in workflow automation platforms. The campaign is ongoing, with updated versions of some packages published recently.

Timeline

12.01.2026 18:39 1 articles · 23h ago

Malicious npm Packages Target n8n Community Nodes to Steal OAuth Tokens
Threat actors uploaded eight malicious npm packages mimicking n8n integrations to steal OAuth credentials. The packages prompted users to link Google Ads accounts, exfiltrating tokens to attacker-controlled servers. The campaign is ongoing, with updated versions of some packages published recently.
Show sources

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
Open in new tab

Information Snippets

Eight malicious npm packages were uploaded, masquerading as n8n integrations.
First reported: 12.01.2026 18:39

1 source, 1 article
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
The packages prompted users to link Google Ads accounts, stealing OAuth tokens.
First reported: 12.01.2026 18:39

1 source, 1 article
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
The attack targeted n8n's community nodes, which run with the same access level as n8n itself.
First reported: 12.01.2026 18:39

1 source, 1 article
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
The malicious packages have been removed, but some related packages remain available.
First reported: 12.01.2026 18:39

1 source, 1 article
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
The campaign is ongoing, with updated versions of some packages published recently.
First reported: 12.01.2026 18:39

1 source, 1 article
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39

Summary

Timeline

Malicious npm Packages Target n8n Community Nodes to Steal OAuth Tokens

Information Snippets