Podcast Detail

SANS Stormcast Tuesday, January 13th, 2026: n8n got npm’ed; Gogs exploit; telegram proxy links

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9764.mp3

previous
Podcast Logo
n8n got npm’ed; Gogs exploit; telegram proxy links
00:00

n8n supply chain attack
Malicious npm pagackages were used to attempt to obtain user OAUTH credentials for NPM.
https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem

Gogs 0-Day Exploited in the Wild
An at the time unpachted flaw in Gogs was exploited to compromise git repos.
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

Telegram Proxy Link Abuse
Telegram proxy links have been abused to deanonymize users
https://x.com/GangExposed_RU/status/2009961417781457129

Podcast Transcript

 Hello and welcome to the Tuesday, January 13th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 cybersecurity leadership. Well, and let's start with N8N
 again. It's in the news again and not in a good way. But
 this time it's not really N8N's fault of what's
 happening here. It's a standard NPM supply chain
 issue. There were a number of malicious NPM libraries
 released that in this case actually didn't sort of do the
 usual of executing malicious code in the developer system.
 Instead, they just were into stealing credentials. So the
 way these particular packages worked was that they claimed
 to be like license validators and such for N8N. And so far,
 it may be plausible that as you're running the tool
 created with these packages, it will ask you to basically
 add OAuth credentials for N8N for the tool to work. Well,
 these OAuth credentials were then exfiltrated and abused by
 the attacker. So one of those, I guess, OAuth phishing kind
 of incidents combined with the NPM supply chain issue. Again,
 not really a problem with anything that N8N did. Nothing
 really they could fix. It's just up to NPM to get their
 act together and kick those packages out. Luckily, they
 weren't super popular. In particular, actually, I think
 the OAuths were a little bit better named. Some of these
 packages have random strings at the end, which may have
 caused some suspicion here. But then again, they were
 published providing certain legitimately sounding features
 for N8N users. And so far, somewhat understandable if
 developers integrate them in their projects. And this
 weekend, Wiz published a blog post discussing an actively
 exploited and at the time unpatched vulnerability in
 Gogs. Gogs is a self-hosted Git repository management system.
 The vulnerability is sadly fairly straightforward to
 exploit. It's one of those symlink bypass
 vulnerabilities. So as many systems that manage files like
 Gogs, they restrict what paths you can write those files to.
 But as part of a Git repository, you may also
 commit a symlink. And then that symlink could post point
 to a file outside of that repository or that constraint
 that is sort of imposed by Gogs. So what the attacker
 would do is they would commit a symlink that points to a
 sensitive file, then they're uploading a file to that,
 because they're overwriting that file. But since this file
 now points to a symlink, the entire path traversal
 protection fails, and an attacker is able to overwrite
 a sensitive file. So pretty big vulnerability. If you're
 running Gogs, make sure it's up to date or otherwise protected
 from external access. Of course, in order to exploit
 this, an attacker does need to have some privileges on your
 repositories. And then there is a new issue that is
 apparently also being exploited on Telegram. And the
 issue here is that it's possible to unmask users' real
 IP addresses. Of course, on systems like Telegram, you try
 to stay anonymous and your messages shouldn't really sort
 of go directly from one user to the other instead via the
 service, which sort of obscures your actual IP
 address. But Telegram has a neat feature that allows you
 to basically communicate the address of a proxy that you
 may want to use. And these proxy links here are
 apparently being abused. So if you're clicking on the link in
 Telegram, it may be one of those those proxy links. And
 what then happens is that your Telegram client reaches out to
 this proxy. Well, with that, of course, the proxy learns
 the user's IP address. And if an attacker sends you a
 malicious link like this, with a proxy they control, they get
 your IP address. The issue here is that this is, well,
 the way these proxy links are supposed to work. And they
 have some good uses where users communicate these proxy
 addresses very easily in order to bypass some filters that
 Telegram users may run into, depending on their country of
 origin. So they're often used to bypass some of these
 censorship filters. Telegram's response to this is now, since
 they can't really change the feature, they don't want to
 change the feature, that they're warning users before
 you're clicking on one of those proxy links, or when
 you're clicking on one of those proxy links, you're
 being warned that this is a proxy link. And then you're
 being given the choice not to follow the link. And with
 that, the proxy will no longer learn your IP address. Well,
 and that's it for today. Thanks for listening. Thanks
 for liking and subscribing this podcast and talk to you
 again tomorrow. Bye.