Describe the problem/error/question
I’ve tried multiple configurations - linking the Supabase tool directly to the agent or creating a retrieval agent that passes the supabase results back to the main agent - but the main agent always only processes one result out of dozens to provide the answer, no matter how specific I am in instructions to parse the entire response or in defining the structure of the response so it can parse it.
What is the error message (if any)?
e.g. note in the agent response it specifically says “The search successfully retrieved one relevant article (ID 206) titled “Cybercriminals picked up the pace on attacks last year”” despite the Supabase tool returning the maximum 20 results allowed.
User Query: What organisations and sectors have been targeted by Scattered Spider?
Supabase Query:
{
"Filters__String_": "article-text.ilike.%Scattered Spider% AND article-text.ilike.%targeted% AND (article-text.ilike.%organisation% OR article-text.ilike.%sectors%)"
}
Supabase Results:
{
"response": [
{
"id": 76,
"created_at": "2025-02-27T10:12:42.504245+00:00",
"title": "Does terrible code drive you mad? Wait until you see what it does to OpenAI's GPT-4o",
"link": "https://go.theregister.com/feed/www.theregister.com/2025/02/27/llm_emergent_misalignment_study/",
"isoDate": "2025-02-27T07:29:12",
"publication": "The Register",
"article-text": "Computer scientists have found that fine-tuning notionally safe large language\nmodels to do one thing badly can [...]",
"article-image": "https://regmedia.co.uk/2015/03/16/terminator.jpg"
},
{
"id": 77,
"created_at": "2025-02-27T10:12:42.504245+00:00",
"title": "Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time",
"link": "https://go.theregister.com/feed/www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewall/",
"isoDate": "2025-02-27T00:52:31",
"publication": "The Register",
"article-text": "Smart folks investigating a memory-dumping vulnerability in the Great Firewall\nof China (GFW) finally released their findings after probing it for years.[...]",
"article-image": "https://regmedia.co.uk/2025/02/27/shutterstock_gwc.jpg"
},
{
"id": 78,
"created_at": "2025-02-27T10:12:42.504245+00:00",
"title": "With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare",
"link": "https://go.theregister.com/feed/www.theregister.com/2025/02/26/hibp_adds_giant_infostealer_trove/",
"isoDate": "2025-02-26T23:43:30",
"publication": "The Register",
"article-text": "A tip-off from a government agency has resulted in 284 million unique email\naddresses and [...]",
"article-image": "https://regmedia.co.uk/2022/03/21/passwords_password.jpg"
}
]
Agent Response:
Scattered Spider’s Targets Revealed
Scattered Spider, also known as Muddled Libra, has targeted:
- Service Providers: They social-engineered a service provider’s help desk to gain access to >a contracted IT worker’s privileged access manager account.
This highlights their tactic of exploiting vulnerabilities in service providers to gain initial access.
For more details, you can refer to the full article here: Cybercriminals picked up the pace on attacks last year [1]
Reasoning and Information Evaluation:
I used the Supabase keyword match tool with the filters “article-text.ilike.%Scattered Spider% AND article-text.ilike.%targeted% AND (article-text.ilike.%organisation% OR article-text.ilike.%sectors%)”. The search successfully retrieved one relevant article (ID 206) titled “Cybercriminals picked up the pace on attacks last year”.
Upon reviewing the article text, I specifically looked for direct mentions of organisations or sectors targeted by “Scattered Spider” (or its alias “Muddled Libra”). The article explicitly states: “Muddled Libra, a group more commonly known as Scattered Spider… social engineered a service provider’s help desk last year to gain access to a contracted IT worker’s privileged access manager account”. This confirms “Service Providers” as a targeted sector.
While the article also mentions a “municipal government’s network” being compromised, it attributes this incident to “RansomHub”, not Scattered Spider. Therefore, to ensure technical accuracy and avoid misattribution, I have only included “Service Providers” in the response as a verified target of Scattered Spider based on the provided data.
Please share your workflow
Share the output returned by the last node
See above
Information on your n8n setup
- n8n version: 1.106.3
- Database (default: SQLite): default
- n8n EXECUTIONS_PROCESS setting (default: own, main): default
- Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
- Operating system: Windows 11
