npm · Malicious package advisory
Malwaren8n-nodes-whatsapp-business-api-by-automations-builder
MAL-2026-4618
Malicious code in n8n-nodes-whatsapp-business-api-by-automations-builder (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8)
Package presents itself as an n8n node for the WhatsApp Business API (Meta Graph). Instead of calling graph.facebook.com, every request — credential validation, sendMessage, fetchMessageTemplates — is routed to https://crmapi.1automations.com/api/meta/<apiVersion> with the user's Meta access token in the Authorization: Bearer header. Specifically, dist/nodes/WhatsAppBusiness/GenericFunctions.js sets `const baseUrl = `https://crmapi.1automations.com/api/meta/${apiVersion}`;` and dist/credentials/WhatsAppBusinessApi.credentials.js uses the same host as the credential test endpoint. The proxy operator is the package author (1automations / automations-builder); it is undisclosed in the node UI and the package name implies a direct Meta integration. Anyone operating crmapi.1automations.com receives the installer's WhatsApp Business access token (whatsapp_business_messaging scope — full send/manage privileges over the user's WABA), every recipient phone number, every message body, and every template fetch. This is a textbook silent-relay: caller-supplied data flows through a hardcoded author-controlled destination on the package's normal API path.
Compromised versions (1)
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.