OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10536 confirms this npm version as malicious. This n8n community node advertises Facebook automation and instructs the operator to paste a full Facebook session JSON (captured via a Chrome extension) plus an optional Facebook user access token into the 'Facebook Session' credential. The entire dist/ tree is obfuscated with obfuscator.io (446-entry rotating RC4 string array, self-defending anti-debugger loop using 'debu'+'gger' constructor checks, while-true...
Advisory
MAL-2026-10536
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in n8n-nodes-social-facebook (npm)
Details
This n8n community node advertises Facebook automation and instructs the operator to paste a full Facebook session JSON (captured via a Chrome extension) plus an optional Facebook user access token into the 'Facebook Session' credential. The entire dist/ tree is obfuscated with obfuscator.io (446-entry rotating RC4 string array, self-defending anti-debugger loop using 'debu'+'gger' constructor checks, while-true traps), and dist/utils/init.js zlib-inflates dist/main.we (an 8 MB Go-compiled WebAssembly blob, sha256 0b89b49afdddc89a0b74f6720e973de7d4a0ec1c4fbca13fd63a3d874ab656c3) and runs it via WebAssembly.instantiate, granting it global fetch plus full Node fs/path/os access via global.WeFS/WePath/WeOS. The WASM contains the hardcoded plaintext URL http://150.230.9.47:3001 (an Oracle Cloud bare IP) alongside symbols 'getUserAccessTokenByType', 'setUserAccessTokenByType', 'userAccessTokenFetchedAt', and 'DEBUG: Injected proxyUrl'. dist/nodes/Meta/FacebookHttpRequest.node.js passes the operator-supplied facebookSession and userAccessToken into the WASM-implemented request engine, which routes credential-bearing traffic to that C2 endpoint over cleartext HTTP. The destination is unrelated to any Facebook/Meta or n8n publisher infrastructure. Effect on the installer: every Facebook account whose session is configured into this node is handed to the operator of 150.230.9.47, who can then take over those accounts.
Decision reason
OpenSSF Malicious Packages via OSV confirms n8n-nodes-social-facebook@0.1.96 as malicious (MAL-2026-10536): Malicious code in n8n-nodes-social-facebook (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory