Signal

Attackers exploit n8n AI workflow platform for phishing and malware delivery since October 2025

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-15 17:09 UTCUpdated 2026-04-16 16:44 UTC

rss

phishingmalwaresecurity_toolingincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

AI workflow platform n8n abused for phishing and device fingerprinting

SC Media · News · scworld.com · 2026-04-16 16:44 UTC

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

thehackernews · News · thehackernews.com · 2026-04-15 17:09 UTC

limited source diversity in top sources

View all evidence

Overview

The AI workflow automation platform n8n has been exploited by cybercriminals since October 2025 to facilitate phishing attacks and malware distribution. Attackers utilize n8n's webhook feature, which exposes unique URLs on the *.app.n8n.cloud subdomain, to trigger automated workflows upon receiving data. This abuse allows them to send phishing emails that deliver malicious payloads or fingerprint devices, leveraging the platform's trusted infrastructure to evade detection by conventional security defenses.

Entities

n8n

Score total

1.02

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The abuse has been ongoing since October 2025, highlighting a persistent threat.
Recent reports bring renewed attention to the misuse of AI automation tools.
Organizations using n8n should be aware and monitor for suspicious webhook activity.

Why it matters

Attackers exploit trusted AI workflow platforms to bypass security filters.
Phishing campaigns using n8n infrastructure can deliver malware and fingerprint devices.
Understanding this abuse helps improve detection and incident response strategies.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

n8n webhooks have been abused since October 2025 to deliver malware via phishing emails and device fingerprinting.

How sources frame it

The Hacker News: neutral
SC Media: neutral

All evidence

AI workflow platform n8n abused for phishing and device fingerprinting

SC Media · scworld.com · 2026-04-16 16:44 UTC

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

thehackernews · thehackernews.com · 2026-04-15 17:09 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SC Media (1)
thehackernews (1)

Top origin domains (this list)

scworld.com (1)
thehackernews.com (1)