16.04.2026
4 min
212
Attackers have been actively using the n8n automation platform to conduct phishing campaigns and deliver malware for several months. The campaign has been ongoing since at least October 2025, and the volume of attacks is rapidly increasing.
They’ve already begun to heavily exploit the n8n automation platform to conduct phishing campaigns and distribute malware. Researchers say the campaign’s have been active as early as October 2025.
“Cisco Talos says, “Attackers utilize the trusted infrastructure of the service to evade standard security filters.” The end result is an automation tool that was created to streamline your workflow has become a mechanism by which to distribute malware and establish remote access to computer systems.”
“By utilizing trusted infrastructure, these attackers avoid traditional security filters and convert productive tools into vehicles for continuous remote access,” explained Cisco Talos researcher Sean Gallagher and Omid Mirzai.
n8n is a platform where users can create workflows (or ‘recipes’) that integrate multiple web-based services, APIs and artificial intelligence tools together to automatically perform complex tasks. Because of how the platform is set up, users do not have to worry about deploying their own infrastructure; they simply sign up for an account with n8n and receive their own domain in the format of .app.n8n.cloud.
These attacks rely on Webhooks. Webhooks are utilized to pass data to an application and trigger an automated task when a URL is accessed. Attackers began utilizing large amounts of webhooks from domains of the format *.app.n8n.cloud to launch massive phishing campaigns.
According to researchers, a webhook operates as a “reverse API”. A reverse API is essentially an API that transfers data from one system to another in real-time. Once an attacker sends a user a link in an email, the user’s browser becomes part of the process and processes the response as a normal webpage. This provides attackers with a significant benefit. Since the malicious content appears to originate from a legitimate domain, detection of the content is significantly more difficult.
Talos reports that the amount of emails containing links to such webhooks increased dramatically. In January 2025, Talos reported there were approximately 686% more emails containing links to n8n webhooks compared to March 2026.
Here’s an example of how the attack typically occurs:
A) A user receives an email claiming to contain a shared document.
B) Inside the document is a link to a n8n webhook.
C) Upon transitioning to the new page, the user is shown a CAPTCHA.
D) When the user completes the CAPTCHA, a malicious file from another server begins downloading.
E) The researchers noted that all of the attack logic resides within the JavaScript code contained in the HTML page. Therefore, once downloaded, the browser will perceive the download as originating from the n8n domain.
F) Typically, the final goal of such campaigns is to execute an executable file or an MSI installer. These files usually consist of either a modified version of legitimate remote adminstration tools (such as Datto or ITarian), or other remote administration tools that provide attackers persistent connections to a management server, thereby providing them access to the system.
There is another potential way that n8n may be exploited. That would be through collecting user data. Hidden pixels are inserted into emails and load a webhook. Once the recipient opens their email, a request is made to the webhook along with parameters that identify the recipient and include their email address.
“Talos stated that, “the same workflows that were previously designed for automation are now being used for delivering malware and collecting data due to their flexibility and ease of integration.”
Experts also believe that with the emergence of low-code platforms, the responsibility for security shifts directly onto those who use them.
