Threat Actors Exploit n8n Webhooks for Malware Distribution
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (Reuters) - Further reports have emerged confirming the scope of the n8n webhook exploitation campaign. Security analysts have identified additional instances of the attack vector being utilized across multiple sectors, reinforcing the initial findings regarding the campaign's active status. The expanded data indicates that the malicious infrastructure remains operational, with threat actors continuing to leverage the automation platform's trusted reputation to circumvent security controls. This development underscores the persistence of the operation and suggests a broader reach than previously documented. Organizations are advised to maintain heightened vigilance regarding unsolicited webhook requests originating from n8n domains. The continued activity highlights the evolving nature of the threat landscape, where legitimate tools are increasingly repurposed for malicious distribution. No new technical indicators have been released, but the volume of confirmed incidents has grown, signaling an intensification of the campaign's impact on targeted entities.
LONDON (Reuters) - Cyber threat actors have been exploiting n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns, security researchers said on Monday.
The attack method leverages the trusted status of n8n, a popular workflow automation platform, to bypass traditional email security filters. By embedding malicious links within n8n webhook URLs, attackers are able to direct victims to phishing pages or trigger the download of malicious payloads without triggering standard spam detection systems.
The campaign, which has been active globally, represents a significant shift in how cybercriminals utilize legitimate infrastructure to evade detection. Security experts noted that the abuse of n8n webhooks allows attackers to mask the true destination of malicious links, making it difficult for organizations to identify and block the threat.
The attacks typically begin with a phishing email containing a link that appears to originate from a legitimate n8n instance. When clicked, the link redirects the victim to a malicious site or initiates the download of malware. In some cases, the webhooks are used to collect device fingerprints, allowing attackers to gather information about the victim's system for future targeted attacks.
The use of n8n webhooks in these campaigns highlights the growing trend of attackers abusing trusted third-party services to conduct malicious activities. By leveraging the reputation of legitimate platforms, threat actors can increase the success rate of their phishing attempts and reduce the likelihood of their activities being flagged by security systems.
Security firms have advised organizations to monitor for suspicious n8n webhook activity and to implement additional layers of security to detect and block malicious links. This includes using advanced email filtering solutions and educating employees about the risks of clicking on unexpected links, even if they appear to come from trusted sources.
The full extent of the campaign remains unclear, with security researchers continuing to investigate the scope of the attacks and the number of organizations affected. As the threat landscape evolves, the abuse of legitimate infrastructure is expected to become an increasingly common tactic among cybercriminals.
The incident underscores the need for organizations to remain vigilant and to adopt a defense-in-depth strategy to protect against evolving cyber threats. As attackers continue to find new ways to exploit trusted services, the burden of detection and prevention falls increasingly on organizations to stay ahead of the curve.