VYPR

npm · Malicious package advisory

Malware

n8n-nodes-pentest-rce

MAL-2026-4617

Malicious code in n8n-nodes-pentest-rce (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5)
On `npm install`, the package's `postinstall` script runs a shell pipeline that reads the Kubernetes service-account token from `/var/run/secrets/kubernetes.io/serviceaccount/token` (truncated to 200 bytes), the pod namespace file, the first 20 sorted environment variables, and host fingerprinting data (`id`, `hostname`, `uname -a`, `ip addr`, `/etc/os-release`, `mount`, `/proc/1/status`, `/proc/1/cgroup`), emitting them between `=RCE_START=` / `=RCE_END=` markers. In typical n8n custom-node installation contexts (n8n cloud, CI build pipelines, container-image builds), install-time stdout is captured into build logs accessible to the attacker. The advertised node code in `dist/PentestNode.node.js` is a no-op (`return [this.getInputData()]`) and `index.js` exports `{}` — the package provides no functional value to a consumer; the install-time shell payload is the entire purpose. The package self-identifies as a 'pentest proof of concept' for RCE in its name and description. The exfiltrated K8s SA token grants API access to the cluster the installer runs in, and the env-var dump commonly contains cloud-provider credentials.

Compromised versions (26)

  • 1.0.35
  • 1.0.31
  • 1.0.16
  • 1.0.33
  • 1.0.43
  • 1.0.3
  • 1.0.21
  • 1.0.32
  • 1.0.44
  • 1.0.39
  • 1.0.11
  • 1.0.41
  • 1.0.7
  • 1.0.28
  • 1.0.36
  • 1.0.40
  • 1.0.29
  • 1.0.0
  • 1.0.19
  • 1.0.42
  • 1.0.30
  • 1.0.15
  • 1.0.8
  • 1.0.38
  • 1.0.1
  • 1.0.37

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.