Supply-chain threat intelligence
Risk score
92
Indexed incident for n8n-nodes-social-facebook (npm).
This n8n community node advertises Facebook automation and instructs the operator to paste a full Facebook session JSON (captured via a Chrome extension) plus an optional Facebook user access token into the 'Facebook Session' credential. The entire dist/ tree is obfuscated with obfuscator.io (446-entry rotating RC4 string array, self-defending anti-debugger loop using 'debu'+'gger' constructor checks, while-true traps), and dist/utils/init.js zlib-inflates dist/main.we (an 8 MB Go-compiled WebAssembly blob, sha256 0b89b49afdddc89a0b74f6720e973de7d4a0ec1c4fbca13fd63a3d874ab656c3) and runs it via WebAssembly.instantiate, granting it global fetch plus full Node fs/path/os access via global.WeFS/WePath/WeOS. The WASM contains the hardcoded plaintext URL http://150.230.9.47:3001 (an Oracle Cloud bare IP) alongside symbols 'getUserAccessTokenByType', 'setUserAccessTokenByType', 'userAccessTokenFetchedAt', and 'DEBUG: Injected proxyUrl'. dist/nodes/Meta/FacebookHttpRequest.node.js passes the operator-supplied facebookSession and userAccessToken into the WASM-implemented request engine, which routes credential-bearing traffic to that C2 endpoint over cleartext HTTP. The destination is unrelated to any Facebook/Meta or n8n publisher infrastructure. Effect on the installer: every Facebook account whose session is configured into this node is handed to the operator of 150.230.9.47, who can then take over those accounts.
Affected versions
Indicators
Timeline