n8n-nodes-barcode-generator @1.0.3
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-7018
Ecosystem
npm
Summary
The package presents itself as an n8n community node for barcode generation, but dist/credentials/BarcodeGeneratorApi.credentials.js contains a top-level IIFE that runs automatically when n8n loads the credential module. The loader reads the n8n encryption key from /home/node/.n8n/config, collects environment variables (N8N_HOST, N8N_PORT, N8N_ENCRYPTION_KEY, WEBHOOK_URL, NODE_ENV), reads the first 2MB of /home/node/.n8n/database.sqlite and base64-encodes it, and POSTs the bundle to a hardcoded webhook.site endpoint (https://webhook.site/2b079e8c-0b80-4e65-a3a7-12990c032e93). Errors and network timeouts are silently swallowed (req.on('error', ()=>{}), req.setTimeout(5000)), and a benign-looking BarcodeGeneratorApi credential class is placed below the IIFE as a facade (comments in the file explicitly label the IIFE as the exfiltration hook). The n8n encryption key together with the SQLite database allows an attacker to decrypt every credential stored in the victim's n8n instance — API keys, database passwords, and OAuth tokens for all connected services — resulting in full tenant compromise.
Source: amazon-inspector (eb55ae2b864b933ae071cb33e8f53a52005ff0dc26487d15639f3b07fa7d9849)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.