Key Findings

• Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns

• Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains

• Email volume containing these URLs increased 686% from January 2025 to March 2026

• Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels

• Attackers bypass traditional security filters by leveraging n8n's trusted infrastructure

Background

n8n is a popular low-code workflow automation platform that allows users to connect applications, APIs, and AI services to automate repetitive tasks. The platform provides free developer accounts with managed cloud hosting, eliminating the need for users to maintain their own infrastructure. Each user gets a custom domain following the format account-name.app.n8n.cloud.

A core feature of n8n is webhook functionality, which enables workflows to receive real-time data from external services when certain events trigger. Webhooks create unique URLs that act as listeners, automatically initiating subsequent workflow steps when accessed. The problem is that these webhook URLs share n8n's legitimate domain, making them appear trustworthy to both users and email security systems.

Attack Methods and Campaign Details

Cisco Talos researchers identified two distinct attack patterns. In malware delivery campaigns, threat actors embed n8n webhook links in emails claiming to share documents. When recipients click the link, they encounter a CAPTCHA page. Completing the CAPTCHA triggers a malicious payload download that appears to originate from n8n due to JavaScript encapsulation within the HTML document.

The downloaded files are typically executable files or MSI installers that deliver modified versions of legitimate Remote Monitoring and Management tools like Datto and ITarian Endpoint Management. These tools establish persistent access by connecting to attacker-controlled command-and-control servers.

In fingerprinting campaigns, threat actors embed invisible tracking pixels hosted on n8n webhook URLs within phishing emails. Opening the email automatically sends HTTP requests to the n8n URL with tracking parameters like the victim's email address, allowing attackers to identify and catalog active targets.

Why This Matters

The abuse of n8n represents a significant shift in attack infrastructure. By leveraging legitimate, trusted platforms, threat actors achieve several advantages simultaneously. Traditional email security filters recognize n8n as legitimate infrastructure and allow messages through. Recipients are more likely to trust links originating from recognized domains. The automation capabilities that make n8n valuable for developers become powerful tools for scaling phishing and malware delivery operations.

The flexibility and ease of integration that define n8n's appeal to legitimate users now enables attackers to orchestrate sophisticated multi-stage attack campaigns with minimal manual effort.

Sources

• https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html

• https://www.socdefenders.ai/item/3b5ca253-a364-4277-a1a3-285187718d46

• https://x.com/TheCyberSecHub/status/2044469384056639872

• https://www.cypro.se/2026/04/15/n8n-webhooks-abused-since-october-2025-to-deliver-malware-via-phishing-emails/