Supply Chain Woes Hit Automation Platforms
More than 100,000 servers running n8n, a popular workflow automation platform, were found vulnerable to a security flaw-CVE-2026-21858-according to data security company Cyera. this highlights the inherent risks within the growing ecosystem of low-code and no-code tools, where convenience can sometimes overshadow security.
supply Chain Woes Hit Automation Platforms
A recent vulnerability underscores the need for vigilance when using community-built integrations.
- Workflow automation platforms like n8n simplify complex tasks.
- These platforms often rely on community-created “nodes” built using npm packages.
- This reliance introduces potential supply chain vulnerabilities.
- Proactive security measures are crucial to mitigate risks.
Workflow automation platforms such as n8n are gaining traction because they allow teams to connect diffrent systems without extensive coding. Though,the convenience of these platforms,especially their community node ecosystems,comes with a trade-off: a dependence on npm packages,which can introduce security risks. Researchers at endor Labs noted that the n8n ecosystem is “active and thriving,” but this activity also means a larger attack surface.
What happened? Researchers at Endor Labs discovered malicious npm packages within the n8n community node ecosystem. These packages contained code designed to steal credentials and establish command-and-control infrastructure. The attack exploited the trust placed in community-contributed nodes, which are often used to extend the functionality of the platform. Who was affected? Potentially over 100,000 servers running n8n were vulnerable, as identified by Cyera. How did it happen? Attackers injected malicious code into npm packages, leveraging the platform’s reliance on these external dependencies.
What can users do to protect themselves from vulnerabilities in workflow automation platforms? Endor Labs researchers recommend prioritizing built-in integrations over community nodes whenever possible. They also advise carefully auditing the metadata and source code of any npm packages before installation. Continuous monitoring of outbound network activity from automation hosts and the use of isolated service accounts with limited privileges are further recommended safeguards.
The researchers have published a list of indicators of compromise (IOCs), including specific package names, command-and-control infrastructure details, and malicious files, to aid in detection and response efforts.
How did it end? the malicious packages were disabled within hours of discovery by Endor Labs and the n8n team. However, the researchers caution that the threat remains dynamic and attackers may continue to evolve their tactics.”Even though the malicious packages we certainly know have been disabled in the last few hours, the attacks may continue and evolve going forward,” cautioned a researcher at Endor Labs. This underscores the importance of ongoing vigilance and proactive security practices for anyone leveraging workflow automation tools.
