Attackers abuse n8n workflow automation webhooks to deliver malware

A phishing campaign exploiting the webhook infrastructure of a widely used AI workflow automation platform has been active for six months, with email volume carrying malicious n8n URLs in March 2026 running 686 percent higher than in January 2025.

What happened

Researchers have documented a sustained campaign in which threat actors abuse n8n, an open-source workflow automation platform, to deliver malware and perform device fingerprinting through phishing emails. According to The Hacker News, the abuse of n8n's publicly exposed webhook URLs has been observed in phishing campaigns dating to October 2025. Because each n8n cloud account generates a custom subdomain under the *.app.n8n. In cloud format, malicious links originating from these accounts use a domain that appears to be from a recognized development and automation platform, allowing them to bypass standard email security filters. Researchers noted that the volume of emails containing malicious n8n webhook URLs in March 2026 was approximately 686 percent higher than in January 2025.

Going deeper

The emails work because the links genuinely come from n8n's own servers, not from a suspicious, unknown domain. When a recipient clicks the link, they land on a page with a CAPTCHA. Completing it triggers a malware download that installs a modified version of legitimate remote access software, giving the attacker ongoing control of the victim's computer. Security tools are unlikely to flag it because the software resembles tools IT departments already use. A second variation of the campaign is even more passive. An invisible image embedded in the email automatically contacts an n8n server the moment the email is opened, sending the attacker the recipient's email address. No click is required; simply opening the message confirms to the attacker that the address is real and active, making it a useful targeting tool for follow-on attacks.

What was said

Researchers stated in their April 15 analysis that "by leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access." Researchers added that "the same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation," and that "it's the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities."

In the know

The n8n platform has drawn sustained security attention in 2026 beyond its abuse in phishing campaigns. According to BleepingComputer, CISA added an n8n remote code execution vulnerability to its Known Exploited Vulnerabilities catalog in March 2026 and ordered federal agencies to patch within three weeks. Separately, a maximum-severity vulnerability in n8n's webhook handling dubbed Ni8mare was disclosed in January 2026, with researchers finding nearly 60,000 unpatched instances exposed online at the time of disclosure. The combination of active exploitation of the platform's vulnerabilities and the abuse of its legitimate features for phishing reflects a pattern in which popular automation and developer tools are targeted on multiple fronts simultaneously.

The big picture

For healthcare organizations, the practical risk is straightforward: staff receive dozens of shared document notifications every day from platforms they recognize and trust. A malicious n8n link looks identical to a legitimate one, and there is no visual cue to distinguish it. The invisible tracking pixel variant makes exposure even more passive an email does not need to be acted on to confirm a target. According to the FBI's 2025 Internet Crime Report, BEC and credential theft attacks generated $3 billion in reported losses in 2025 alone, with healthcare ranking as the most targeted critical infrastructure sector. As healthcare organizations add more automation and workflow tools to their operations, each new platform connected to staff email creates another trusted channel that attackers can abuse in the same way.

FAQs

What is a webhook, and why does it make n8n URLs appear trustworthy?

A webhook is a URL that an application listens to receive data from external services. N8n-hosted webhooks use the platform's own subdomain, meaning links in phishing emails carrying those URLs appear to originate from n8n's infrastructure rather than an unknown or suspicious domain. Email security filters that trust recognized developer platforms will allow these messages to pass.

How does the tracking pixel technique work, and why does it matter for targeting?

An invisible one-pixel image hosted on an n8n webhook URL, embedded in an email body, causes the recipient's email client to automatically fetch the image when the message is opened. That fetch request includes identifiers such as the recipient's email address, confirming to the attacker that the address is active and the message was opened, enabling them to prioritize confirmed live targets for follow-on payloads.

Why does the modified RMM tool approach make detection harder than standard malware?

Legitimate RMM software is signed, recognized by operating systems, and generates the same type of network traffic as authorized IT management tools. Security tools configured to allow known RMM platforms may not flag a modified version, and the ongoing connections the tool maintains with its command-and-control server are indistinguishable from legitimate IT support activity.

Does this type of attack require any action from the user to succeed?

The malware delivery variant requires the user to complete a CAPTCHA and initiate a download, meaning user action is required. The tracking pixel variant, however, fires automatically when the email is opened in most standard email clients, requiring no click or interaction from the recipient at all.