n8n Webhooks Abused for Malware Delivery via Phishing
Shimi’s Cyber World is tracking reports from The Hacker News indicating that threat actors have been weaponizing n8n, a popular AI workflow automation platform, to facilitate sophisticated phishing campaigns. These campaigns, observed since at least October 2025, are designed to deliver malicious payloads or fingerprint devices by sending automated emails.
According to The Hacker News, attackers are leveraging n8n’s webhooks to bypass traditional security filters. This tactic turns what’s intended as a productivity tool into a potent delivery mechanism for malware. The use of trusted infrastructure like n8n’s makes these phishing attempts particularly insidious, as they can often slip past email gateways and user awareness training designed to flag external, suspicious communications.
What This Means For You
- If your organization uses n8n or similar workflow automation platforms, you need to be acutely aware of this abuse vector. Audit your n8n webhook configurations and logs for any unauthorized or suspicious activity immediately. Educate your users that even emails originating from seemingly legitimate automation platforms could be malicious.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rules · 6 SIEM formats1 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Exploitation Attempt — n8n
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
1 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| n8n-Webhook-Abuse | Phishing | n8n AI workflow automation platform |
| n8n-Webhook-Abuse | Malware Delivery | n8n webhooks abused for payload delivery |
| n8n-Webhook-Abuse | Information Disclosure | n8n webhooks abused for device fingerprinting |
Related Posts
CISA Flags Exploited Windows Task Host Vulnerability
CISA has issued a stern warning to U.S. government agencies regarding an actively exploited privilege escalation vulnerability within Windows Task Host. According to BleepingComputer, this...
Capsule Security Raises $7M to Defend AI Agents
A new player has emerged from the shadows in the AI security space: Capsule Security. According to SecurityWeek, the Israeli startup recently closed a $7...
Anthropic's AI Protocol Has Design Flaw Enabling Supply Chain Attacks
SecurityWeek is flagging a critical design flaw within Anthropic's Model Context Protocol (MCP). Researchers are warning that this vulnerability, inherent in the protocol's design, could...