npm · Malicious package advisory
Malwaren8n-nodes-pentest-rce
MAL-2026-4617
Malicious code in n8n-nodes-pentest-rce (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5)
On `npm install`, the package's `postinstall` script runs a shell pipeline that reads the Kubernetes service-account token from `/var/run/secrets/kubernetes.io/serviceaccount/token` (truncated to 200 bytes), the pod namespace file, the first 20 sorted environment variables, and host fingerprinting data (`id`, `hostname`, `uname -a`, `ip addr`, `/etc/os-release`, `mount`, `/proc/1/status`, `/proc/1/cgroup`), emitting them between `=RCE_START=` / `=RCE_END=` markers. In typical n8n custom-node installation contexts (n8n cloud, CI build pipelines, container-image builds), install-time stdout is captured into build logs accessible to the attacker. The advertised node code in `dist/PentestNode.node.js` is a no-op (`return [this.getInputData()]`) and `index.js` exports `{}` — the package provides no functional value to a consumer; the install-time shell payload is the entire purpose. The package self-identifies as a 'pentest proof of concept' for RCE in its name and description. The exfiltrated K8s SA token grants API access to the cluster the installer runs in, and the env-var dump commonly contains cloud-provider credentials.
Compromised versions (26)
- 1.0.35
- 1.0.31
- 1.0.16
- 1.0.33
- 1.0.43
- 1.0.3
- 1.0.21
- 1.0.32
- 1.0.44
- 1.0.39
- 1.0.11
- 1.0.41
- 1.0.7
- 1.0.28
- 1.0.36
- 1.0.40
- 1.0.29
- 1.0.0
- 1.0.19
- 1.0.42
- 1.0.30
- 1.0.15
- 1.0.8
- 1.0.38
- 1.0.1
- 1.0.37
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.