Risk actors have been noticed weaponizing n8n, a preferred synthetic intelligence (AI) workflow automation platform, to facilitate refined phishing campaigns and ship malicious payloads or fingerprint gadgets by sending automated emails.
“By leveraging trusted infrastructure, these attackers bypass conventional safety filters, turning productiveness instruments into supply autos for persistent distant entry,” Cisco Talos researchers Sean Gallagher and Omid Mirzaei mentioned in an evaluation printed immediately.
N8n is a workflow automation platform that enables customers to attach numerous net functions, APIs, and AI mannequin companies to sync information, construct agentic programs, and run repetitive rule-based duties.
Customers can register for a developer account at no further price to avail a managed cloud-hosted service and run automation workflows with out having to arrange their very own infrastructure.Doing so, nevertheless, creates a novel customized area that goes by the format – <account title>.app.n8n.cloud – from the place a consumer can entry their functions.
The platform additionally helps the flexibility to create webhooks to obtain information from apps and companies when sure occasions are triggered.Thismakes it potential to provoke a workflow after receiving sure information.The info, on this case, is distributed by way of a novel webhook URL.
In keeping with Cisco Talos, it is these URL-exposed webhooks – which make use of the identical *.app.n8n[.]cloud subdomain – that has been abused in phishing assaults way back to October 2025.
“A webhook, sometimes called a ‘reverse API,’ permits one utility to supply real-time data to a different. These URLs register an utility as a ‘listener’ to obtain information, which may embody programmatically pulled HTML content material,” Talos defined.
“When the URL receives a request, the following workflow steps are triggered, returning outcomes as an HTTP information stream to the requesting utility. If the URL is accessed by way of e-mail, the recipient’s browser acts because the receiving utility, processing the output as an internet web page.”
What makes this important is that it opens a brand new door for risk actors to propagate malware whereas sustaining a veneer of legitimacy by giving the impression that they’re originating from a trusted area.
Risk actors have wasted no time benefiting from the habits to arrange n8n webhook URLs for malware supply and gadget fingerprinting. The quantity of e-mail messages containing these URLs in March 2026 is claimed to have been about 686% larger than in January 2025.
In one marketing campaign noticed by Talos, risk actors have been discovered to embed an n8n-hosted webhook hyperlink in emails that claimed to be a shared doc. Clicking the hyperlink takes the consumer to an internet web page that shows a CAPTCHA, which, upon completion, prompts the obtain of a malicious payload from an exterior host.
“As a result of the whole course of is encapsulated inside the JavaScript of the HTML doc, the obtain seems to the browser to have come from the n8n area,” the researchers famous.
The finish aim of the assault is to ship an executable or an MSI installer that serves as a conduit for modified variations of respectable Distant Monitoring and Administration (RMM) instruments like Datto and ITarian Endpoint Administration, and use them to determine persistence by establishing a connection to a command-and-control (C2) server.
A second prevalent case considerations the abuse of n8n for fingerprinting. Particularly, this entails embedding in emails an invisible picture or monitoring pixel that is hosted on an n8n webhook URL. As quickly because the digital missive is opened by way of an e-mail shopper, it mechanically sends an HTTP GET request to the n8n URL together with monitoring parameters, just like the sufferer’s e-mail tackle, thereby enabling the attackers to establish them.
“The identical workflows designed to avoid wasting builders hours of guide labor at the moment are being repurposed to automate the supply of malware and fingerprinting gadgets as a consequence of their flexibility, ease of integration, and seamless automation,” Talos mentioned. “As we proceed to leverage the ability of low-code automation, it’s the accountability of safety groups to make sure these platforms and instruments stay belongings moderately than liabilities.”
