Menace actors have been noticed weaponizing n8n, a well-liked synthetic intelligence (AI) workflow automation platform, to facilitate subtle phishing campaigns and ship malicious payloads or fingerprint units by sending automated emails.
“By leveraging trusted infrastructure, these attackers bypass conventional safety filters, turning productiveness instruments into supply automobiles for persistent distant entry,” Cisco Talos researchers Sean Gallagher and Omid Mirzaei mentioned in an evaluation printed as we speak.
N8n is a workflow automation platform that enables customers to attach numerous net purposes, APIs, and AI mannequin companies to sync information, construct agentic techniques, and run repetitive rule-based duties.
Customers can register for a developer account at no further price to avail a managed cloud-hosted service and run automation workflows with out having to arrange their very own infrastructure.Doing so, nonetheless, creates a novel customized area that goes by the format –
The platform additionally helps the flexibility to create webhooks to obtain information from apps and companies when sure occasions are triggered.Thismakes it doable to provoke a workflow after receiving sure information.The info, on this case, is shipped by way of a novel webhook URL.
Based on Cisco Talos, it is these URL-exposed webhooks – which make use of the identical *.app.n8n[.]cloud subdomain – that has been abused in phishing assaults way back to October 2025.
“A webhook, sometimes called a ‘reverse API,’ permits one utility to offer real-time data to a different. These URLs register an utility as a ‘listener’ to obtain information, which may embody programmatically pulled HTML content material,” Talos defined.
“When the URL receives a request, the next workflow steps are triggered, returning outcomes as an HTTP information stream to the requesting utility. If the URL is accessed by way of e-mail, the recipient’s browser acts because the receiving utility, processing the output as an online web page.”
What makes this important is that it opens a brand new door for menace actors to propagate malware whereas sustaining a veneer of legitimacy by giving the impression that they’re originating from a trusted area.
Menace actors have wasted no time profiting from the habits to arrange n8n webhook URLs for malware supply and gadget fingerprinting. The quantity of e-mail messages containing these URLs in March 2026 is claimed to have been about 686% increased than in January 2025.
In one marketing campaign noticed by Talos, menace actors have been discovered to embed an n8n-hosted webhook hyperlink in emails that claimed to be a shared doc. Clicking the hyperlink takes the consumer to an online web page that shows a CAPTCHA, which, upon completion, prompts the obtain of a malicious payload from an exterior host.
“As a result of your entire course of is encapsulated throughout the JavaScript of the HTML doc, the obtain seems to the browser to have come from the n8n area,” the researchers famous.
The finish objective of the assault is to ship an executable or an MSI installer that serves as a conduit for modified variations of reputable Distant Monitoring and Administration (RMM) instruments like Datto and ITarian Endpoint Administration, and use them to determine persistence by establishing a connection to a command-and-control (C2) server.
A second prevalent case considerations the abuse of n8n for fingerprinting. Particularly, this entails embedding in emails an invisible picture or monitoring pixel that is hosted on an n8n webhook URL. As quickly because the digital missive is opened by way of an e-mail shopper, it robotically sends an HTTP GET request to the n8n URL together with monitoring parameters, just like the sufferer’s e-mail deal with, thereby enabling the attackers to establish them.
“The identical workflows designed to avoid wasting builders hours of guide labor at the moment are being repurposed to automate the supply of malware and fingerprinting units resulting from their flexibility, ease of integration, and seamless automation,” Talos mentioned. “As we proceed to leverage the ability of low-code automation, it’s the duty of safety groups to make sure these platforms and instruments stay belongings relatively than liabilities.”
