Security researchers have identified a new supply chain attack targeting the n8n workflow automation platform, where attackers uploaded multiple malicious packages to the npm registry disguised as legitimate community nodes.
These packages were crafted to resemble official integrations, including connectors for Google Ads and performance monitoring services. Once installed, they presented standard configuration interfaces, encouraging users to authorize external accounts. The provided OAuth credentials were then covertly extracted and transmitted to attacker-controlled infrastructure.
One of the malicious packages imitated a Google Ads connector and prompted users to link their advertising account through what appeared to be a genuine authorization form. Behind the scenes, the credentials were intercepted and forwarded to remote servers without the user’s knowledge.
According to security researchers, this campaign represents a notable shift in supply chain attacks. Instead of focusing on developer workstations, the attackers targeted automation platforms that store and manage sensitive credentials for multiple services in one place.
At least eight npm packages were confirmed to contain malicious functionality before being removed from the registry. Some of these packages had already accumulated thousands of downloads. Additional related packages published by the same authors remain available, and their behavior is still under investigation.
Analysis revealed that after installation, the malicious node stored credentials normally within n8n’s credential system. During workflow execution, the node accessed and decrypted the stored tokens using the platform’s internal mechanisms and then exfiltrated the data to external endpoints controlled by the attackers.
This is the first publicly documented case of a supply chain attack explicitly focused on the n8n ecosystem. The incident demonstrates how trust in community-contributed automation components can be exploited to gain unauthorized access to business integrations and cloud services.
Researchers also noted that n8n community nodes operate with the same privileges as the core platform. This allows a malicious node to access environment variables, read and write files, perform outbound network communication, and interact with decrypted credentials during execution, making detection difficult.
The campaign is believed to be ongoing, as new versions of some packages were published shortly before the discovery was made public.