Hackers abuse n8n AI workflow automation to deliver malware through trusted webhooks
5 min. read 
Published on
Threat actors are abusing n8n, a legitimate workflow automation platform, to send phishing emails, fingerprint devices, and deliver malware through trusted *.app.n8n.cloud webhook URLs. Cisco Talos says the activity ran from at least October 2025 through March 2026 and used n8n’s webhook feature to make malicious content look like it came from a reputable service.
The core trick is simple. Attackers create free n8n developer accounts, get hosted subdomains, and then use webhook-delivered HTML and JavaScript to serve content from external malicious infrastructure while the victim’s browser still sees the n8n domain in the workflow. That trust layer helps malicious emails and downloads slip past filters that rely too heavily on domain reputation.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cisco Talos says the abuse has grown sharply. The company observed that emails containing n8n webhook URLs in March 2026 were about 686% higher than in January 2025, which points to a steep increase in real-world misuse of the platform.
How the attack chain works
One of the clearest campaigns spoofed a Microsoft OneDrive shared-folder email. When a victim clicked the n8n-hosted webhook link, the browser opened a phishing page with a CAPTCHA. After the CAPTCHA, a download button appeared and pulled a payload from an external host, but the entire flow looked like it came from the n8n domain because the JavaScript ran inside the webhook-delivered page.
In one case, the downloaded file was DownloadedOneDriveDocument.exe, disguised as a self-extracting archive. Talos says it installed a modified version of the Datto Remote Monitoring and Management tool, then used PowerShell to configure persistence as a scheduled task and connect to a relay on Datto’s centrastage[.]net domain before deleting the original payload files.
Talos also documented a second campaign that used the same basic model but delivered a malicious MSI file instead. That installer deployed a modified ITarian Endpoint Management RMM tool, ran Python modules to steal data, and showed a fake installer progress bar to make the infection look like a normal software install.
Device tracking was part of the abuse too
The malware delivery chains were only part of the story. Talos also found attackers using n8n webhooks for device fingerprinting by embedding invisible tracking pixels in HTML emails. When the email client loaded the hidden image, it automatically sent a request to the n8n webhook, which let the attacker identify the recipient and gather details such as the browser and IP-linked session context.
That matters because it gives attackers a quiet way to validate targets before they push a heavier payload. A user does not need to click a visible link for some of that tracking to happen if the email client fetches the embedded image automatically.
The bigger lesson is not just about n8n. Security teams are now dealing with a broader pattern where legitimate automation and AI-adjacent platforms are being repurposed as attack infrastructure because they are flexible, cheap, and trusted by default. Cisco Talos frames this as a trust abuse problem, not simply a bad-domain problem.
Key details at a glance
| Item | Verified detail |
|---|---|
| Platform abused | n8n |
| Abuse window observed by Talos | October 2025 through March 2026 |
| Main techniques | Malware delivery, phishing, device fingerprinting |
| Delivery method | n8n-hosted webhook URLs in email |
| Malware examples | Modified Datto RMM and modified ITarian RMM |
| User lure | Fake OneDrive shared-folder emails with CAPTCHA |
| Measured trend | Emails with n8n webhook URLs in March 2026 were about 686% higher than in January 2025 |
What defenders should do
- Review whether your organization legitimately uses n8n or similar automation platforms.
- Alert on unexpected traffic to
n8n.clouddomains that are not part of approved workflows. - Look for email-delivered CAPTCHA pages that lead to executable or MSI downloads.
- Hunt for suspicious scheduled tasks tied to recent payload execution.
- Share webhook patterns, hashes, and C2 indicators across security teams and tools.
- Avoid blocking all n8n infrastructure blindly if your business uses it, because Talos says broad domain blocking can break legitimate workflows.
FAQ
n8n is a legitimate workflow automation platform. Attackers abused its hosted webhook feature to make phishing pages, tracking pixels, and malware downloads look more trustworthy.
The Talos report describes abuse of legitimate n8n accounts and webhook functionality. It does not say attackers compromised n8n’s own infrastructure in the traditional sense. This is an inference from Talos’ description of free developer accounts, hosted subdomains, and webhook misuse.
Talos documented modified Datto RMM and ITarian RMM payloads. In one case, the malware used PowerShell and scheduled tasks for persistence. In another, it used a malicious MSI with Python modules for data theft.
Because the delivery flow rides on trusted automation infrastructure. Security products that lean too heavily on reputation-based checks may give the n8n domain more trust than the underlying payload deserves.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages