SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, January 13th, 2026: n8n got npm’ed; Gogs exploit; telegram proxy links
4 snips
Jan 13, 2026 A recent supply chain attack targeted n8n users with malicious npm packages aimed at stealing OAuth credentials. The podcast highlights that the fault lies with the NPM ecosystem, not n8n itself. Additionally, listeners learn about a critical flaw in Gogs, allowing attackers to exploit symlink paths. Lastly, concerns over Telegram proxy links are discussed, revealing how they can deanonymize users before Telegram issues a warning to mitigate this risk.
AI Snips
Chapters
Transcript
Episode notes
Supply-Chain Packages Can Steal OAuth Tokens
- NPM supply-chain packages can harvest OAuth credentials instead of running visible malicious code.
- Attackers can trick n8n users with seemingly legitimate helper packages that exfiltrate tokens.
Vet NPM Packages And Rotate OAuth Keys
- Verify and vet third-party NPM packages before adding them to projects and avoid obscure or randomly named packages.
- Remove or rotate OAuth credentials if you suspect a package requested them and report malicious packages to NPM.
Symlink Commits Can Defeat Path Protections
- A symlink within a git repo can bypass path restrictions and let attackers overwrite files outside the repo.
- Systems like Gogs must handle symlink and path traversal protections carefully to prevent this class of RCE/overwrite.