**Cisco Talos** researchers Sean Gallagher and Omid Mirzaei revealed in a recent analysis that threat actors are weaponizing n8n to facilitate phishing campaigns and deliver malicious payloads. The platform's ability to automate tasks and connect various web applications, APIs, and AI model services is being abused to gain persistent remote access. ### N8n: A Double-Edged Sword n8n is a workflow automation platform designed to allow users to connect web applications and APIs, sync data, and automate repetitive tasks. Users can create a developer account to utilize a managed cloud-hosted service. This service creates a unique custom domain in the format `<account name>.app.n8n.cloud`, which allows users to access their applications. ### Webhooks: The Entry Point for Attackers The platform supports the creation of webhooks to receive data from apps and services when certain events are triggered. These webhooks use the `*.app.n8n[.]cloud` subdomain and have been exploited in phishing attacks since at least October 2025, according to **Cisco Talos**. Webhooks, often referred to as 'reverse APIs,' enable real-time information sharing between applications. These URLs register an application as a 'listener' to receive data, which can include programmatically pulled HTML content.  When a webhook URL receives a request, subsequent workflow steps are triggered, returning results as an HTTP data stream. If the URL is accessed via email, the recipient's browser processes the output as a web page, creating an attack vector that appears to originate from a trusted domain. ### Exploitation in the Wild Threat actors are actively using n8n webhook URLs for malware delivery and device fingerprinting. The volume of email messages containing these URLs saw a significant increase, with March 2026 showing a 686% increase compared to January 2025. In one observed campaign, attackers embed an n8n-hosted webhook link in emails disguised as shared documents. Clicking the link redirects the user to a CAPTCHA-protected webpage. Upon completion, a malicious payload is downloaded from an external host. Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to originate from the n8n domain. ### Malware Delivery and Device Fingerprinting The ultimate goal of these attacks is to deliver an executable or an MSI installer that acts as a conduit for modified versions of legitimate Remote Monitoring and Management (RMM) tools such as **Datto** and **ITarian Endpoint Management**. These tools are then used to establish persistence by connecting to a command-and-control (C2) server. Another common tactic involves using n8n for device fingerprinting. Attackers embed an invisible image or tracking pixel, hosted on an n8n webhook URL, in emails. When the email is opened, it sends an HTTP GET request to the n8n URL, along with tracking parameters such as the victim's email address, allowing attackers to identify the recipient. ### A Call for Vigilance "The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation," **Talos** researchers stated. Security teams must ensure these platforms remain assets rather than liabilities as low-code automation continues to grow.