Cyber Attacks

Attackers Weaponize n8n Webhooks to Automate Malware Distribution

The CyberSignal

The CyberSignal

3 min read
Minimalist vector art showing a fishing hook pulling malware from an automation node.

Security researchers have identified a persistent campaign abusing the popular workflow automation tool n8n to deliver sophisticated malware via phishing emails, bypassing traditional gateway filters.

LONDON — Since October 2025, a sophisticated threat actor has been exploiting the webhook functionality of n8n, an open-source workflow automation platform, to facilitate a global phishing campaign. According to a joint report from Cisco Talos and other intelligence groups, the campaign — dubbed "n8mare" — leverages the platform's legitimate infrastructure to host and deliver malicious payloads, effectively "living off the reputation" of trusted cloud services.

By using n8n’s automated webhooks to process and redirect phishing traffic, attackers have successfully evaded common email security filters that often permit traffic from known automation and productivity tools.

Affected Group Impact Analysis
Automation Users Reputational risk if their self-hosted n8n instances are hijacked to distribute malware, leading to IP blacklisting and infrastructure compromise.
Email Security Vendors Pressure to develop dynamic sandbox environments capable of following multi-step automation workflows and inspecting redirects from trusted cloud domains.
Incident Responders Increased difficulty in attribution and forensic tracing, as attack traffic is obfuscated by legitimate third-party API traffic and webhook pings.
SaaS Providers Heightened need to implement proactive monitoring for high-risk workflows, such as those involving unauthenticated external file downloads.

The Anatomy of the Abuse

The campaign begins with a standard phishing email, often disguised as an invoice or a mandatory security update. However, rather than linking directly to a malicious domain, the email contains a link to an n8n-hosted webhook.

When a victim clicks the link, the n8n workflow triggers a series of automated steps:

  1. User Verification: The workflow checks the victim's IP and user-agent string to ensure it is a live target and not a security sandbox.
  2. Payload Delivery: If verified, the workflow automatically redirects the user to a cloud storage bucket containing malware, such as Lumma Stealer or Agent Tesla.
  3. Data Exfiltration: In some instances, the n8n instance is used as a temporary command-and-control (C2) server to receive exfiltrated data before forwarding it to the final attacker-controlled server.

Timeline of the Campaign

Date Event Milestone
October 2025 Initial detection of n8n webhooks being used as "open redirects" in phishing campaigns to deliver Lumma Stealer.
Nov 9, 2025 Researcher Dor Attias (Cyera) discovers and discloses CVE-2026-21858, a critical RCE flaw in n8n's webhook handling.
Nov 18, 2025 n8n releases version 1.121.0. Cloud instances are patched; self-hosted users are urged to update "quietly."
Jan 7, 2026 Public disclosure of the "Ni8mare" flaw. A Proof-of-Concept (PoC) is released, leading to a massive spike in exploitation attempts.
March–April 2026 Cisco Talos reports a secondary wave of automation abuse, with threat actors targeting unpatched legacy instances.

The "Trusted Service" Dilemma

This campaign highlights a growing trend in supply chain abuse where attackers do not compromise the software itself, but rather exploit its intended functionality. Because n8n is a legitimate tool used by thousands of enterprises for business process automation, IT departments often whitelist its domains and webhooks.

Security researchers emphasize that the fault does not lie with n8n’s security architecture, but with the inherent risk of allowing unauthenticated webhooks to perform external redirects.

The CyberSignal Analysis

Signal 01 — The Automation-to-Exploitation Pipeline

The "n8mare" campaign proves that automation is a double-edged sword. While tools like n8n and Zapier increase efficiency for businesses, they also provide attackers with a low-cost, highly scalable infrastructure for malware distribution. As we noted in our coverage of MFA Bypass tactics, attackers are moving away from building their own malicious infrastructure and are instead co-opting the tools your team already trusts.

Signal 02 — The Importance of "URL Rewriting" and Sandbox Inspections

Standard email gateways are increasingly failing to detect "automated" threats. For organizations using n8n, this incident is a call to implement stricter egress filtering. Webhooks should never be allowed to serve as an open proxy to the public internet. Modern security teams must move toward inspecting the destination of the automation, rather than just the source of the link.

Sources

Type Source
Technical Intel Cisco Talos: Inside the n8mare Campaign
Security News Hacker News: n8n Webhooks Abused Since 2025
Research Summary Let’s Data Science: Phishing via n8n Abuse

Read more