Missing and mysterious new flows

When I just logged into my node-red server, some of my flows are missing and I see a ton of new random flows that that all look like the below.

Any idea what's going on here?


Nevermind ... I just noticed this post. Crypto Miner Abuse/Malware


  1. is your NR device connected to the internet?
  2. What is the device?
  3. did you add any contrib nodes lately?

Just want to make sure that none of the nodes are corrupt

Also, did you have AdminAuth set.
ie. Did you secure your interface with a password?

You can see from the screenshot that adminAuth is not enabled - there's no usermenu in the title bar.

1 Like

Good and valid point I think!!! Who is checking that? Or could anyone just create a set of 'contrib' nodes and publish/share them without them undergoing some kind of investigation?

If so

  • would it make sense to introduce such revision & control
  • what kind of "bad things" could such a set of nodes achieve in worst case?

I read somewhere in this forum, there are multiple Q&A's about flows/nodes being packaged, distributed and self-deployed. Is that such a threat that needs deeper thoughts and eventual protection? If it is possible to embed some kind of malicious code into the node code, at I get a bit scared about that since until today I did not consider installing nodes via the palett manager as a possible security risk.

Some thoughts from those knowing better is very much appreciated...

The only known issue right now is the cryptominer hack and that is a straightforward entry into an incorrectly secured instance of Node-RED exposed to the Internet.

In terms of Nodes themselves, there are some risks associated with the use of GitHub and npm but in general, as long as you have properly secured both, it is very unlikely that you will ever see an issue here. Both are such big targets with far more juicy options than a Node-RED node. They are well monitored and protected.

In short, only install nodes where you can have some confidence that they are from a reputable source. Check on the flows site to see how long they've been around and how people are rating them and the authors. There are also tools on the web that will review npm modules for security issues if you are not sure. I use them to monitor my own nodes, for example, so that I know if a dependent library has an issue.

It is, of course possible to write a script that will auto-install a rogue node and restart NR. Someone would still need to hack your platform and get that script run. If they can do that then there are too many ways to count to hack your system.

Now you can see why we recommend keeping Node-RED away from the Internet unless you really know what you are doing.

But let's be clear, although I've repeatedly said that Node-RED has not be security certified in any way, it is a solid piece of software running over Node.JS and using some very widely-used and robust tools. There are plenty of ways to secure Node.JS services.

It could be argued that Node-RED, being a generic programming platform, might be more open to hacking than some systems. This might be true but not by any problematic margin in my view.

Bottom line is that, if you have a platform that can be reached - even indirectly - from the Internet, you need to learn how to secure it. If connecting directly, you will need to learn more. If doing so for profit or on behalf of others, please consider getting a professional security expert (or team) to at least do penetration testing on the whole environment.

Don't be scared but do be sensible.

1 Like

Dear Julian, thanks for a very informative answer!

For sure, I have all my Pi's and other computers isolated from internet. My worries were more related to "what could be caused by myself" when actively deciding to download & install nodes

At the same time, as you said, be careful when selecting what you actually "bring home"

I assume it would be way to far to wish having a kind of certification of each node set before it can be shared (like apps are, or should be!??, certified by Apple & Google before they are available in Apple Store and Google Play)

So far, so good, no mysterious flows found here!
Kind regards, Walter

We simply don't have the resources to do the sort of testing and verification that would entail.

A nice wish to be sure. But unless Node.JS and npm change quite dramatically, unlikely I'm afraid. In any case, that requires a cast of thousands to review apps and the Google Play Store in particular is notorious at getting it wrong and allowing thousands of rogue apps through. So no easy fix I'm afraid.

Having said that, at least we have some feedback tools on the flows site now so please do go through and support the nodes you rely on so others know which can be relied on.

  1. Yes (I locked down by incoming IP after this occurred)
  2. Windows VM in Azure
  3. I just started using Node-Red and installed a number of contrib nodes. I have installed:

I also had installed node-red-node-swagger-ddm. I believe the day this occurred, it was throwing errors when I opened the admin UI so I removed it.

I've had a lot of disk IO since installing node-red & nodejs on 9/8/2018. Especially the day I created this thread which aligns with the big spike (39.4 GB).


It appears I need to scrap this VM which is zero fun.

This is where your DevOps skills come into play :wink:
While a pain to do the first time round, using a build tool to set up and configure your VM enables you to rebuild it very quickly by running a script.