SANS Stormcast Tuesday, January 13th, 2026: n8n got npm’ed; Gogs exploit; telegram proxy links

January 12, 2026

Episode Transcript

n8n supply chain attack
Malicious npm pagackages were used to attempt to obtain user OAUTH credentials for NPM.
https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem
Gogs 0-Day Exploited in the Wild
An at the time unpachted flaw in Gogs was exploited to compromise git repos.
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
Telegram Proxy Link Abuse
Telegram proxy links have been abused to deanonymize users
https://x.com/GangExposed_RU/status/2009961417781457129

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, January 13th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in cybersecurity leadership. Well, and let's start with N8N again. It's in the news again and not in a good way. But this time it's not really N8N's fault of what's happening here. It's a standard NPM supply chain issue. There were a number of malicious NPM libraries released that in this case actually didn't sort of do the usual of executing malicious code in the developer system. Instead, they just were into stealing credentials. So the way these particular packages worked was that they claimed to be like license validators and such for N8N. And so far, it may be plausible that as you're running the tool created with these packages, it will ask you to basically add OAuth credentials for N8N for the tool to work. Well, these OAuth credentials were then exfiltrated and abused by the attacker. So one of those, I guess, OAuth phishing kind of incidents combined with the NPM supply chain issue. Again, not really a problem with anything that N8N did. Nothing really they could fix. It's just up to NPM to get their act together and kick those packages out. Luckily, they weren't super popular. In particular, actually, I think the OAuths were a little bit better named. Some of these packages have random strings at the end, which may have caused some suspicion here. But then again, they were published providing certain legitimately sounding features for N8N users. And so far, somewhat understandable if developers integrate them in their projects. And this weekend, Wiz published a blog post discussing an actively exploited and at the time unpatched vulnerability in Gogs. Gogs is a self-hosted Git repository management system. The vulnerability is sadly fairly straightforward to exploit. It's one of those symlink bypass vulnerabilities. So as many systems that manage files like Gogs, they restrict what paths you can write those files to. But as part of a Git repository, you may also commit a symlink. And then that symlink could post point to a file outside of that repository or that constraint that is sort of imposed by Gogs. So what the attacker would do is they would commit a symlink that points to a sensitive file, then they're uploading a file to that, because they're overwriting that file. But since this file now points to a symlink, the entire path traversal protection fails, and an attacker is able to overwrite a sensitive file. So pretty big vulnerability. If you're running Gogs, make sure it's up to date or otherwise protected from external access. Of course, in order to exploit this, an attacker does need to have some privileges on your repositories. And then there is a new issue that is apparently also being exploited on Telegram. And the issue here is that it's possible to unmask users' real IP addresses. Of course, on systems like Telegram, you try to stay anonymous and your messages shouldn't really sort of go directly from one user to the other instead via the service, which sort of obscures your actual IP address. But Telegram has a neat feature that allows you to basically communicate the address of a proxy that you may want to use. And these proxy links here are apparently being abused. So if you're clicking on the link in Telegram, it may be one of those those proxy links. And what then happens is that your Telegram client reaches out to this proxy. Well, with that, of course, the proxy learns the user's IP address. And if an attacker sends you a malicious link like this, with a proxy they control, they get your IP address. The issue here is that this is, well, the way these proxy links are supposed to work. And they have some good uses where users communicate these proxy addresses very easily in order to bypass some filters that Telegram users may run into, depending on their country of origin. So they're often used to bypass some of these censorship filters. Telegram's response to this is now, since they can't really change the feature, they don't want to change the feature, that they're warning users before you're clicking on one of those proxy links, or when you're clicking on one of those proxy links, you're being warned that this is a proxy link. And then you're being given the choice not to follow the link. And with that, the proxy will no longer learn your IP address. Well, and that's it for today. Thanks for listening. Thanks for liking and subscribing this podcast and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show