ALL POSTS

Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack

Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign