Malicious npm packages posing as n8n community nodes were used to steal OAuth tokens by abusing trusted workflow integrations and credential storage.