Cybersecurity

Cyber: N8n Webhooks Abused Since October 2025 To Deliver Malware Via

2026-04-15 0 views admin
Cyber: N8n Webhooks Abused Since October 2025 To Deliver Malware Via

Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access," Cisco Talos researchers Sean Gallagher and Omid Mirzaei said in an analysis published today. N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Users can register for a developer account at no extra cost to avail a managed cloud-hosted service and run automation workflows without having to set up their own infrastructure.Doing so, however, creates a unique custom domain that goes by the format – .app.n8n.cloud – from where a user can access their applications. The platform also supports the ability to create webhooks to receive data from apps and services when certain events are triggered.Thismakes it possible to initiate a workflow after receiving certain data.The data, in this case, is sent via a unique webhook URL. According to Cisco Talos, it's these URL-exposed webhooks – which make use of the same *.app.n8n[.]cloud subdomain – that has been abused in phishing attacks as far back as October 2025. "A webhook, often referred to as a 'reverse API,' allows one application to provide real-time information to another. These URLs register an application as a 'listener' to receive data, which can include programmatically pulled HTML content," Talos explained. "When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient's browser acts as the receiving application, processing the output as a web page." What makes this significant is that it opens a new door for threat actors to propagate malware while maintaining a veneer of legitimacy by giving the impression that they are originating from a trusted domain. Threat actors have wasted no time taking advantage of the behavior to set up n8n webhook URLs for malware delivery and device fingerprinting. The volume of email messages containing these URLs in March 2026 is said to have been about 686% highe

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityinfoseccyberwebhooksabusedsinceoctoberdelivermalware

More from Cybersecurity

Cyber: Critical Nginx UI auth bypass flaw now actively exploited in the wild (2026)

Cyber: Critical Nginx UI auth bypass flaw now actively exploited in the wild (2026)

2026-04-15 0
Cyber: New AgingFly malware used in attacks on Ukraine govt, hospitals - Complete Guide

Cyber: New AgingFly malware used in attacks on Ukraine govt, hospitals - Complete Guide

2026-04-15 0
Cyber: Critical Mcp Integration Flaw Puts Nginx At Risk (2026)

Cyber: Critical Mcp Integration Flaw Puts Nginx At Risk (2026)

2026-04-15 0
Cyber: WordPress plugin suite hacked to push malware to thousands of sites - Analysis

Cyber: WordPress plugin suite hacked to push malware to thousands of sites - Analysis

2026-04-15 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views