n8n Supply Chain Attack Steals OAuth Tokens Via Nodes

A sophisticated supply chain attack compromised the n8n workflow automation platform by injecting malicious community nodes designed to steal user OAuth access tokens.

A critical supply chain attack has targeted users of the popular open-source automation platform n8n. Threat actors compromised the platform's community nodes repository, injecting malicious packages that, when installed, secretly harvested user OAuth tokens. This breach highlights a growing trend of attackers exploiting the trust within open-source ecosystems and developer tools to gain persistent, high-level access to a victim's integrated services and data.

The attack's sophistication lies in its abuse of the open-source community model. By submitting seemingly useful nodes to the public library, the attackers weaponized a channel for community collaboration into a vector for credential theft. This matters because stolen OAuth tokens grant attackers the same access levels as the user, bypassing passwords and multi-factor authentication to infiltrate connected apps like Google Workspace, GitHub, and Salesforce. The incident underscores a severe escalation in third-party risk, where a single compromised component can jeopardize an entire organization's SaaS environment.

For security teams and DevOps engineers, the implication is an urgent need to audit all integrated community nodes and automation workflows. The forecast is for increased scrutiny of open-source package repositories and more stringent vetting processes for code dependencies. Decision-makers must implement strict controls on OAuth token usage and enforce mandatory code review for any third-party automation scripts. The next imperative for platforms like n8n is to enhance repository security with stricter submission audits and real-time malware scanning, ensuring that the collaborative power of community-driven development does not become its most critical vulnerability.