VYPR

npm · Malicious package advisory

Malware

n8n-nodes-barcode-generator

MAL-2026-7018

Malicious code in n8n-nodes-barcode-generator (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (eb55ae2b864b933ae071cb33e8f53a52005ff0dc26487d15639f3b07fa7d9849)
The package presents itself as an n8n community node for barcode generation, but dist/credentials/BarcodeGeneratorApi.credentials.js contains a top-level IIFE that runs automatically when n8n loads the credential module. The loader reads the n8n encryption key from /home/node/.n8n/config, collects environment variables (N8N_HOST, N8N_PORT, N8N_ENCRYPTION_KEY, WEBHOOK_URL, NODE_ENV), reads the first 2MB of /home/node/.n8n/database.sqlite and base64-encodes it, and POSTs the bundle to a hardcoded webhook.site endpoint (https://webhook.site/2b079e8c-0b80-4e65-a3a7-12990c032e93). Errors and network timeouts are silently swallowed (req.on('error', ()=>{}), req.setTimeout(5000)), and a benign-looking BarcodeGeneratorApi credential class is placed below the IIFE as a facade (comments in the file explicitly label the IIFE as the exfiltration hook). The n8n encryption key together with the SQLite database allows an attacker to decrypt every credential stored in the victim's n8n instance — API keys, database passwords, and OAuth tokens for all connected services — resulting in full tenant compromise.

Compromised versions (1)

  • 1.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.