"Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials. One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon it to servers under the attackers' control."
""The attack represents a new escalation in supply chain threats," Endor Labs said in a report published last week. "Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults - holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location.""
Threat actors uploaded eight malicious packages to the npm registry that impersonated n8n workflow automation integrations to steal developers' OAuth credentials. One package, n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, mimicked a Google Ads integration, prompted users to link advertising accounts, and exfiltrated credentials to attacker-controlled servers. The identified packages were removed from npm. Endor Labs described the attack as a new escalation in supply chain threats, noting the targeting of workflow automation platforms that serve as centralized credential vaults. The campaign targeted tokens, API keys, and credentials for services such as Google Ads, Stripe, and Salesforce. Some linked authors maintain other available libraries; their maliciousness remains unclear. ReversingLabs Spectra Assure found no security issues in the first three assessed packages.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]