Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Critical n8n Vulnerability Lets Attackers Deliver Malware via Webhooks
Threats

Critical n8n Vulnerability Lets Attackers Deliver Malware via Webhooks

Key Takeaways Threat actors are exploiting the legitimate AI workflow automation tool n8n to deliver malware and conduct device fingerprinting. The attacks leverage n8n’s webhook functionality,...

Jennifer sherman
Jennifer sherman
April 16, 2026 4 Min Read
39 0

Key Takeaways

  • Threat actors are exploiting the legitimate AI workflow automation tool n8n to deliver malware and conduct device fingerprinting.
  • The attacks leverage n8n’s webhook functionality, using free developer accounts and trusted subdomains to bypass security gateways.
  • Campaigns observed between October 2025 and March 2026 involved phishing emails leading to the installation of legitimate remote monitoring and management (RMM) tools, repurposed for malicious access.
  • Cisco Talos identified the abuse, recommending behavioral detection and AI-driven email security over blanket domain blocking.

Cybercriminals have discovered an innovative method to circumvent traditional security measures, actively weaponizing the legitimate AI workflow automation platform n8n for sophisticated malware delivery. Malicious actors are exploiting n8n’s webhook features to inject harmful payloads, frequently as components of elaborate phishing operations. This misuse of the open-source automation tool has been observed turning a productivity platform into a weapon.

Table Of Content

  • Key Takeaways
  • Inside the Infection Chain
  • What You Should Do

Instead of constructing their own infrastructure from scratch, these attackers are leveraging n8n to dispatch phishing emails and deliver dangerous payloads directly to victims’ systems. The illicit activity was initially detected in October 2025 and persisted through March 2026. During this period, attackers established free developer accounts on the n8n platform, which automatically provisioned subdomains under the *.app.n8n[.]cloud namespace.

Because these subdomains are associated with a widely recognized service, outbound emails and web requests originating from them are often treated as trustworthy by many corporate security gateways. This tactic enabled attackers to route their malicious content through channels that would typically not trigger immediate alerts from most email security solutions.

Cisco Talos researchers Sean Gallagher and Omid Mirzaei were instrumental in identifying the abuse of the n8n platform, subsequently publishing a comprehensive analysis of these campaigns. Their investigation revealed that the primary vector of exploitation was n8n’s URL-exposed webhooks, a standard feature designed to allow real-time data exchange between applications.

The researchers noted a significant surge in malicious activity, with the volume of emails containing n8n webhook URLs in March 2026 approximately 68% higher than in January 2025, indicating a sharp and deliberate escalation in the platform’s misuse.

The findings highlighted two concurrent attack objectives: malware delivery and targeted device fingerprinting. By embedding invisible tracking pixels, hosted on n8n webhook URLs, within HTML emails, attackers could surreptitiously gather device information, such as browser type and IP address, from recipients who merely opened the email without clicking any links. Simultaneously, separate phishing campaigns were actively deploying malware payloads onto victim machines using the same webhook-based delivery mechanism. Attackers effectively subverted a tool intended for workflow automation and developer efficiency, transforming it into a potent weapon.

Inside the Infection Chain

One of the most thoroughly documented campaigns involved phishing emails disguised as Microsoft OneDrive folder sharing notifications. Upon clicking the embedded n8n webhook link, recipients were directed to an HTML page featuring a CAPTCHA challenge. This step served as a rudimentary human verification mechanism, allowing attackers to filter out automated scanners and sandboxes.

Once the CAPTCHA was successfully solved, a download button appeared, and a file named DownloadedOneDriveDocument.exe was silently retrieved from an external host. However, since the entire process executed within the n8n domain’s JavaScript environment, the download appeared to originate from the trusted n8n infrastructure itself.

When executed, this file installed a modified version of the Datto Remote Monitoring and Management (RMM) tool, a legitimate remote administration application. The malware then employed PowerShell commands to configure Datto RMM as a scheduled task, establishing a persistent connection to a relay on the centrustage[.]net domain before self-deleting and removing other payload components to obscure its presence. A separate but related campaign utilized an n8n webhook to deliver a maliciously altered Microsoft Windows Installer (MSI) file. This file installed the ITarian Endpoint Management RMM tool, which functioned as a backdoor and executed Python modules to exfiltrate data from the compromised system, all while displaying a deceptive installer progress bar to mask its true activities.

Both campaigns adhered to the same fundamental logic: funnel victims through a trusted domain, camouflage the delivery as an ordinary event, and install a remote access tool that maintains stealthy persistence on the system. The inherent flexibility and ease of integration of the n8n platform made it an ideal vehicle for this strategy, as it eliminated the need for complex, custom infrastructure.

What You Should Do

  • Implement behavioral detection rules that trigger alerts for unusually high volumes of traffic directed toward AI automation platform domains from unexpected internal sources.
  • Flag any endpoint attempting to communicate with AI automation platform domains that are not part of the organization’s approved workflow inventory.
  • Share and monitor indicators of compromise (IOCs), including specific webhook URL structures, malicious file hashes, and known command-and-control domains, through threat intelligence platforms.
  • Deploy AI-driven email security solutions that analyze behavioral signals, rather than solely relying on reputation scores, to effectively identify threats traversing otherwise trusted infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Cisco Webex Services Critical Vulnerability Lets Remote Attackers Impersonate Any User

Next Post

NWHStealer Malware Spreads via Fake Proton VPN Sites and Gaming Mods

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us